From gert at greenie.muc.de  Mon Dec  1 02:31:41 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Mon, 1 Dec 2008 08:31:41 +0100
Subject: [c-nsp] Cisco 7600 vlan issue
In-Reply-To: <49332FC0.3000308@jarruda.com>
References: <mailman.1.1227978001.39019.cisco-nsp@puck.nether.net>
	<500660a858matt@melbourne.org.uk>
	<20081130182402.GO8535@greenie.muc.de>
	<49332FC0.3000308@jarruda.com>
Message-ID: <20081201073141.GP8535@greenie.muc.de>

Hi,

On Sun, Nov 30, 2008 at 07:28:48PM -0500, Julio Arruda wrote:
> I was under impression the L3 forwarding and the L2 forwarding was done 
> by the same engine, in the PFC card(s) ? and behind it, the EARL for the 
> lookup and the rewriting of the header info (mac rewrite, dec ttl and 
> goes on) ?
> That is how Nortel 8600 (and earlier gen, rapidcity-legacy) did the 
> work, the same lookup engine would do l2 and l3, so I may be messing up 
> things in my mind :-), in a little more distributed fashion (more like DFCs)

As I wrote:

> >[Yes, this is simplifying things a lot, but the basic architecture works
> >that way - and all the rest is "powerups" to improve throughput]


gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081201/68c630b1/attachment.bin>

From mm at math.pub.ro  Mon Dec  1 03:34:11 2008
From: mm at math.pub.ro (mm-tech)
Date: Mon, 1 Dec 2008 10:34:11 +0200 (EET)
Subject: [c-nsp] bgp weird issue
In-Reply-To: <C55875A9.33533%mksmith@adhost.com>
References: <C55875A9.33533%mksmith@adhost.com>
Message-ID: <3176.79.118.191.161.1228120451.squirrel@ssl.math.pub.ro>

> Hello John:
>
>
> On 11/30/08 10:32 AM, "mm-tech" <mm at math.pub.ro> wrote:
>
> <snip>
>
>> The issue is after I configure the iBGP relationship between Router1 and
>> Router2: connectivity to the 62.217.X.X/29 subnet on Router1 is lost. It
>> cannot be pinged anymore from outside. The 91.195.X.X/23 is announced
>> correctly through both ISPs and any IP in this /23 subnet is pingable
>> from
>> outside. They only problem is with the 62.217.X.X/29 block that becomes
>> unreachable after configuring the iBGP relationship and I don't
>> understand
>> why this is happening.
>>
>> Sorry for the long post and I hope you'll give me some hints -:)
>>
>> Thanks,
>> John
>>
>
> How is the /29 configured on router 1?  If it's being statically routed
> from
> your ISP, then you need to have it in your IGP somehow.  Something simple
> would be:
>
> Interface x/x
> Ip address 62.217.x.x 255.255.255.248
>
> Router ospf 10
> Redistribute connected subnets
>
> More information is needed, I'm afraid.
>
> Regards,
>
> Mike
>
>
Yes, the /29 subnet is configured on Router1 on a SVI interface. I haven't
tried to put this /29 into my IGP. I'll try that and I'll let you know
guys.

Iy you need more info, please let me know...

Thanks,
john


From jeff.nsp at gmail.com  Mon Dec  1 04:23:24 2008
From: jeff.nsp at gmail.com (Jeff Tantsura)
Date: Mon, 1 Dec 2008 10:23:24 +0100
Subject: [c-nsp] LDP label allocation modes
In-Reply-To: <a89d89ac0811250909l1dc910abo220adcda4b3b5d02@mail.gmail.com>
References: <a89d89ac0811241755r3ae37ccfh7a1db4763429a6ab@mail.gmail.com><70B7A1CCBFA5C649BD562B6D9F7ED78406715EB0@xmb-ams-333.emea.cisco.com>
	<a89d89ac0811250909l1dc910abo220adcda4b3b5d02@mail.gmail.com>
Message-ID: <001201c95396$78357960$4a0d10ac@ad.redback.com>

Hi,

With LDP Juniper (and everyone else) does downstream unsolicited and ordered

(with some hacks) control, same for Redback, Huawei I believe does
independent. 

Cheers,
Jeff

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Marlon Duksa
> Sent: dinsdag 25 november 2008 18:10
> To: Oliver Boehmer (oboehmer)
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] LDP label allocation modes
> 
> I'm trying to understand MPLS/LDP behavior on 7600 and figure out what I
> can
> do and what I can't. Doing the same thing with Juniper M320 and I'm trying
> to note the difference in behavior and figure out which implementation
> would
> fit our customer better.
> 
> On Mon, Nov 24, 2008 at 10:50 PM, Oliver Boehmer (oboehmer) <
> oboehmer at cisco.com> wrote:
> 
> > Marlon Duksa <> wrote on Tuesday, November 25, 2008 02:55:
> >
> > > Hi - does anyone know what are the default label
> > > distribution/allocation modes on Cisco 7600 on Ethernet interfaces
> > > for LDP.
> > > I suspect label distribution mode is  'downstream unsolicited' (as
> > > opposed to on-demand) and label allocation is 'independent control
> > > mode' (as opposed to ordered control).
> > >
> > > If this is correct, is there any way to change this through CLI?
> >
> > yes, it's correct, and you can't change it. Why are you asking?
> >
> >        oli
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From tamas.sziraki at hu.digi.tv  Mon Dec  1 04:31:15 2008
From: tamas.sziraki at hu.digi.tv (Tamas Sziraki)
Date: Mon, 01 Dec 2008 10:31:15 +0100
Subject: [c-nsp] ASR terminating PPPoE
In-Reply-To: <C558D0E6.3F25%roddy.strachan@staff.netspace.net.au>
References: <C558D0E6.3F25%roddy.strachan@staff.netspace.net.au>
Message-ID: <4933AEE3.3020302@hu.digi.tv>

Hi,

We had a 1006 with ESP10G from Cisco.
1000 sessions, 90k pps, 800M, 1-2% CPU.

Tom


Roddy Strachan ?rta:
> Actually testing/implementing one now.
> 
> One test we had about 12-13000 sessions on it, CPU was about 12%
> 
> That was a rough figure...
> 
> 
> 
> On 30/11/08 9:00 PM, "MKS" <rekordmeister at gmail.com> wrote:
> 
>> Hi
>>
>> Has anyone any experience using the ASR 100x as a bras, terminating pppoe.
>> Some traffic/sessions vs CPU load info would be great (on or off list)
>> Cisco clams up to 32.000 session, does that hold?
>>
>> Regards
>> MKS
>>
> 
> 
> This email and any files transmitted with it are confidential and intended
>  solely for the use of the individual or entity to whom they are addressed. 
> Please notify the sender immediately by email if you have received this 
> email by mistake and delete this email from your system. Please note that
>  any views or opinions presented in this email are solely those of the
>  author and do not necessarily represent those of the organisation. 
> Finally, the recipient should check this email and any attachments for 
> the presence of viruses. The organisation accepts no liability for any 
> damage caused by any virus transmitted by this email.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From david.freedman at uk.clara.net  Mon Dec  1 07:02:38 2008
From: david.freedman at uk.clara.net (David Freedman)
Date: Mon, 01 Dec 2008 12:02:38 +0000
Subject: [c-nsp] Cisco 7600 vlan issue
In-Reply-To: <20081128185748.GA19050@mx.ytti.net>
References: <330568.38828.qm@web44809.mail.sp1.yahoo.com>	<493015F1.8090901@forthnet.gr>
	<49301741.9050500@forthnet.gr> <20081128185748.GA19050@mx.ytti.net>
Message-ID: <gh0jou$fut$1@ger.gmane.org>

SIP/SPA does indeed provide per-port local VLAN significance for this
platform, please prepare your wallet in such case :)

Dave.


Saku Ytti wrote:
> On (2008-11-28 18:07 +0200), Tassos Chatzithomaoglou wrote:
> 
>> Just to add (if i remember right) that ES and SRB didn't support local VLAN significance under single tagged subifs.
>> I haven't checked if SRD and/or ES+ solve this problem.
> 
> ES+ does solve the issue indeed, but you're still limited to 4k VLANs. In ES cards
> you need you use EVC to terminate colliding VLANs.
> Cisco, please allow defining IP address directly under EVC, without requiring
> bridge-group. For setups where you always only terminate through
> one interface, switching is not needed and the additional configuration
> is undesired.
> 
> 
>> --
>> Tassos
>>
>> Tassos Chatzithomaoglou wrote on 28/11/2008 18:01:
>>> You're looking for "local VLAN significance".
>>>
>>> You probably have to get one of the WAN-style (ES20/40 for sure, don't  
>>> know for SIP/SPA) cards.
>>>
>>> -- 
>>> Tassos
>>>
>>> Mark Tech wrote on 28/11/2008 17:52:
>>>> Hi
>>>> With my GSR, I can split traffic on seperate physical interfaces,  
>>>> reusing the same vlan #, i.e.
>>>>
>>>> interface GigabitEthernet0/0/6.2
>>>>  encapsulation dot1Q 2
>>>>  ip address 7.7.7.1 255.255.255.252
>>>>  no ip directed-broadcast
>>>>  no cdp enable
>>>> !
>>>> interface GigabitEthernet0/0/7.2
>>>>  encapsulation dot1Q 2
>>>>  ip address 8.8.8.1 255.255.255.252
>>>>  no ip directed-broadcast
>>>>  no cdp enable
>>>>
>>>> However with a 7600, if I try to do the same I get the following error:
>>>>
>>>>
>>>>
>>>> interface GigabitEthernet1/9.2
>>>>  encapsulation dot1Q 2
>>>>  ip address 3.3.3.1 255.255.255.252
>>>>  no cdp enable
>>>> !
>>>> 7600(config)#interface GigabitEthernet1/10.2
>>>> 7600(config-subif)# encapsulation dot1Q 2
>>>> Command rejected: VLAN 10 not available
>>>> 7600(config-subif)#
>>>>
>>>>
>>>> Is there anyway around this? I want the 7600 to act like a router, 
>>>> not a switch!
>>>>
>>>> Regards
>>>>
>>>> Mark
>>>>
>>>>
>>>>      _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From saku+cisco-nsp at ytti.fi  Mon Dec  1 07:50:50 2008
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Mon, 1 Dec 2008 14:50:50 +0200
Subject: [c-nsp] Cisco 7600 vlan issue
In-Reply-To: <gh0jou$fut$1@ger.gmane.org>
References: <330568.38828.qm@web44809.mail.sp1.yahoo.com>
	<493015F1.8090901@forthnet.gr> <49301741.9050500@forthnet.gr>
	<20081128185748.GA19050@mx.ytti.net> <gh0jou$fut$1@ger.gmane.org>
Message-ID: <20081201125050.GA9640@mx.ytti.net>

On (2008-12-01 12:02 +0000), David Freedman wrote:

> SIP/SPA does indeed provide per-port local VLAN significance for this
> platform, please prepare your wallet in such case :)

Not 100% sure where this reply was directed, but SIP/SPA has exactly
same caveats as ES+, you're still limited to 4k VLANs per chassis,
as each L3 interface sucks 1 VLAN, ES+ nor SIP/SPA changes this.
And the actual number of interface is even lower than 4k, if you use
VRFs, as each VRF suck one VLAN too, if you are not utilizing VPN-CAM.

> >> Just to add (if i remember right) that ES and SRB didn't support local VLAN significance under single tagged subifs.
> >> I haven't checked if SRD and/or ES+ solve this problem.
> > 
> > ES+ does solve the issue indeed, but you're still limited to 4k VLANs. In ES cards
> > you need you use EVC to terminate colliding VLANs.
> > Cisco, please allow defining IP address directly under EVC, without requiring
> > bridge-group. For setups where you always only terminate through
> > one interface, switching is not needed and the additional configuration
> > is undesired.

> >> Tassos Chatzithomaoglou wrote on 28/11/2008 18:01:
> >>> You're looking for "local VLAN significance".
> >>>
> >>> You probably have to get one of the WAN-style (ES20/40 for sure, don't  
> >>> know for SIP/SPA) cards.
-- 
  ++ytti

From saku+cisco-nsp at ytti.fi  Mon Dec  1 07:58:31 2008
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Mon, 1 Dec 2008 14:58:31 +0200
Subject: [c-nsp] Cisco 7600 vlan issue
In-Reply-To: <49332FC0.3000308@jarruda.com>
References: <mailman.1.1227978001.39019.cisco-nsp@puck.nether.net>
	<500660a858matt@melbourne.org.uk>
	<20081130182402.GO8535@greenie.muc.de>
	<49332FC0.3000308@jarruda.com>
Message-ID: <20081201125831.GB9640@mx.ytti.net>

On (2008-11-30 19:28 -0500), Julio Arruda wrote:

> I was under impression the L3 forwarding and the L2 forwarding was done  
> by the same engine, in the PFC card(s) ? and behind it, the EARL for the  
> lookup and the rewriting of the header info (mac rewrite, dec ttl and  
> goes on) ?

Inside PFC/EARL you have Tycho for L3 and Superman for L2. Or 
one cost reduced version called Supertycho (with bus chip functionality
separated to dedicated chip called Kuma) in 3C and up (prolly
nexus too then).

> That is how Nortel 8600 (and earlier gen, rapidcity-legacy) did the  
> work, the same lookup engine would do l2 and l3, so I may be messing up  
> things in my mind :-), in a little more distributed fashion (more like 
> DFCs)

Dunno if this true, prolly depends how deep inside the die you look.
Also not sure what relevance there is if L2/L3 lookup is in one engine
or several engines. In my mind at least it's not advantage or disadvantage
for consumer, except for the fewer dies you have, the cheaper
it is to produce (better yields) and less power will probably
be dissimulated as heat.

-- 
  ++ytti

From jr at xor.at  Mon Dec  1 07:20:53 2008
From: jr at xor.at (Johannes Resch)
Date: Mon, 1 Dec 2008 13:20:53 +0100 (CET)
Subject: [c-nsp] Cisco 7600 vlan issue
In-Reply-To: <gh0jou$fut$1@ger.gmane.org>
References: <330568.38828.qm@web44809.mail.sp1.yahoo.com>
	<493015F1.8090901@forthnet.gr> <49301741.9050500@forthnet.gr>
	<20081128185748.GA19050@mx.ytti.net> <gh0jou$fut$1@ger.gmane.org>
Message-ID: <58848.195.112.95.126.1228134053.squirrel@and.xor.at>

On Mon, December 1, 2008 13:02, David Freedman wrote:
> SIP/SPA does indeed provide per-port local VLAN significance for this
> platform, please prepare your wallet in such case :)
>
> Dave.

However, SIP/SPA still consume global (internal) VLAN resources per L3
subif..only the VLAN IDs need not match.

Basically there is NO way for 6500/7600 which can get you around this 4k
VLAN/IFL per box scaling issue when doing L3 termination.

As others have pointed out, using service instances on ES/ES+ will not
require global VLANs, but this only applies for terminating plain PWEs.
For L3 subif/VPLS, again a global VLAN/SVI is required.

Of course the box might still be 'good enough', only depends on your 
deployment scenario..

-jr

From saku+cisco-nsp at ytti.fi  Mon Dec  1 08:30:11 2008
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Mon, 1 Dec 2008 15:30:11 +0200
Subject: [c-nsp] Cisco 7600 vlan issue
In-Reply-To: <58848.195.112.95.126.1228134053.squirrel@and.xor.at>
References: <330568.38828.qm@web44809.mail.sp1.yahoo.com>
	<493015F1.8090901@forthnet.gr> <49301741.9050500@forthnet.gr>
	<20081128185748.GA19050@mx.ytti.net> <gh0jou$fut$1@ger.gmane.org>
	<58848.195.112.95.126.1228134053.squirrel@and.xor.at>
Message-ID: <20081201133011.GB10202@mx.ytti.net>

On (2008-12-01 13:20 +0100), Johannes Resch wrote:
 
> As others have pointed out, using service instances on ES/ES+ will not
> require global VLANs, but this only applies for terminating plain PWEs.
> For L3 subif/VPLS, again a global VLAN/SVI is required.

This is not true for ES+, ES+ can have, like SIP/SPA single tagged 
colliding VLANs in different interface.

-- 
  ++ytti

From jr at xor.at  Mon Dec  1 08:48:52 2008
From: jr at xor.at (Johannes Resch)
Date: Mon, 1 Dec 2008 14:48:52 +0100 (CET)
Subject: [c-nsp] Cisco 7600 vlan issue
In-Reply-To: <20081201133011.GB10202@mx.ytti.net>
References: <330568.38828.qm@web44809.mail.sp1.yahoo.com>
	<493015F1.8090901@forthnet.gr> <49301741.9050500@forthnet.gr>
	<20081128185748.GA19050@mx.ytti.net> <gh0jou$fut$1@ger.gmane.org>
	<58848.195.112.95.126.1228134053.squirrel@and.xor.at>
	<20081201133011.GB10202@mx.ytti.net>
Message-ID: <22007.195.112.95.126.1228139332.squirrel@and.xor.at>

On Mon, December 1, 2008 14:30, Saku Ytti wrote:
> On (2008-12-01 13:20 +0100), Johannes Resch wrote:
>
>> As others have pointed out, using service instances on ES/ES+ will not
>> require global VLANs, but this only applies for terminating plain PWEs.
>> For L3 subif/VPLS, again a global VLAN/SVI is required.
>
> This is not true for ES+, ES+ can have, like SIP/SPA single tagged
> colliding VLANs in different interface.

That's true - however I was not referring to uniqueness of VLAN IDs, but
about consumption of global resources.

In terms of global VLAN resource consumption there is no difference
between ES/ES+. While you can have local significant VLAN ID numbers on
ES+ also for single-tagged L3 subifs, there are still global internal
VLANs being used in either case.

-jr

From jmenendez at mecon.gov.ar  Mon Dec  1 12:53:41 2008
From: jmenendez at mecon.gov.ar (Juan Angel Menendez)
Date: Mon, 01 Dec 2008 14:53:41 -0300
Subject: [c-nsp] Nexus 7000 fiber 1GBit linecard.
In-Reply-To: <EAF085CF5B344B42A8551A4482C1ED591013B1F1@RCTR010.tivit.cor
 p>
References: <200811111449.mABEnfOu030925@racing2.mecon.ar>
	<EAF085CF5B344B42A8551A4482C1ED591013B1F1@RCTR010.tivit.corp>
Message-ID: <200812011753.mB1Hrf1c005254@racing2.mecon.ar>



         It's already here:  N7K-M148GS-11 Nexus 
7000 Series 48-Port Gigabit Ethernet Module (SFP) with 40 Gbps Fabric

         http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/ps9512/Data_Sheet_C78-437763.html


Regards
Juan


At 11:02 13/11/2008, Fernando de Aquilino Corr?a wrote:
>Hello,
>
>According to a Sales Engineer at Cisco, this is 
>going to be available some time in H1 2009. 
>It'll be a 48 port SFP line card if I remember correctly.
>
>I'd love to have their roadmap for this switch.
>
>Att,
>Fernando
>
>-----Original Message-----
>From: cisco-nsp-bounces at puck.nether.net 
>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Juan Angel Menendez
>Sent: ter?a-feira, 11 de novembro de 2008 12:50
>To: cisco-nsp at puck.nether.net
>Subject: [c-nsp] Nexus 7000 fiber 1GBit linecard.
>
>
>
>         Hello list,
>
>         We're interested in the Nexus 7000 platform but we're wondering if
>fiber 1GBit linecard is going to be available anytime soon ?
>
>         Thanks in advance.
>
>Regards
>Juan
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/


From icox at cisco.com  Mon Dec  1 14:29:09 2008
From: icox at cisco.com (Ian Cox)
Date: Mon, 01 Dec 2008 11:29:09 -0800
Subject: [c-nsp] Cisco 7600 vlan issue
In-Reply-To: <20081201125831.GB9640@mx.ytti.net>
References: <mailman.1.1227978001.39019.cisco-nsp@puck.nether.net>	<500660a858matt@melbourne.org.uk>	<20081130182402.GO8535@greenie.muc.de>	<49332FC0.3000308@jarruda.com>
	<20081201125831.GB9640@mx.ytti.net>
Message-ID: <49343B05.1090106@cisco.com>



Saku Ytti wrote:
> On (2008-11-30 19:28 -0500), Julio Arruda wrote:
> 
>> I was under impression the L3 forwarding and the L2 forwarding was done  
>> by the same engine, in the PFC card(s) ? and behind it, the EARL for the  
>> lookup and the rewriting of the header info (mac rewrite, dec ttl and  
>> goes on) ?
> 
> Inside PFC/EARL you have Tycho for L3 and Superman for L2. Or 
> one cost reduced version called Supertycho (with bus chip functionality
> separated to dedicated chip called Kuma) in 3C and up (prolly
> nexus too then).

Nexus 7000 run a newer generation of the PFCx ASIC which allows for vlan
uniqueness per port.


Ian

> 
>> That is how Nortel 8600 (and earlier gen, rapidcity-legacy) did the  
>> work, the same lookup engine would do l2 and l3, so I may be messing up  
>> things in my mind :-), in a little more distributed fashion (more like 
>> DFCs)
> 
> Dunno if this true, prolly depends how deep inside the die you look.
> Also not sure what relevance there is if L2/L3 lookup is in one engine
> or several engines. In my mind at least it's not advantage or disadvantage
> for consumer, except for the fewer dies you have, the cheaper
> it is to produce (better yields) and less power will probably
> be dissimulated as heat.
> 

From icox at cisco.com  Mon Dec  1 14:39:44 2008
From: icox at cisco.com (Ian Cox)
Date: Mon, 01 Dec 2008 11:39:44 -0800
Subject: [c-nsp] Cisco 7600 vlan issue
In-Reply-To: <49332FC0.3000308@jarruda.com>
References: <mailman.1.1227978001.39019.cisco-nsp@puck.nether.net>	<500660a858matt@melbourne.org.uk>	<20081130182402.GO8535@greenie.muc.de>
	<49332FC0.3000308@jarruda.com>
Message-ID: <49343D80.7080901@cisco.com>

Julio Arruda wrote:

> 
> I was under impression the L3 forwarding and the L2 forwarding was done
> by the same engine, in the PFC card(s) ? and behind it, the EARL for the
> lookup and the rewriting of the header info (mac rewrite, dec ttl and
> goes on) ?

PFC/DFC - is the customer facing name for the L2 and L3/L4 forwarding
engines on the 6500.

EARL x - is the internal name used to refer to the L2 and L3/L4
forwarding engine, x being the generation of the forwarding engine. EARL
generation and PFC/DFC versions do not directly match, but map as follows

EARL	PFC/DFC
5	PFC		Supervisor 1A
6	PFC2 / DFC	Supervisor 2
7	PFC3 / DFC3	Supervisor 720

Depending upon the features and the availability of particular ASIC
processes the forwarding engine has ranged from four ASICs to a single
ASIC. The exact number varies from generation to generation, and even
within revisions within a generation.


Ian

From jarruda-cnsp at jarruda.com  Mon Dec  1 14:50:18 2008
From: jarruda-cnsp at jarruda.com (Julio Arruda)
Date: Mon, 01 Dec 2008 14:50:18 -0500
Subject: [c-nsp] Cisco 7600 vlan issue
In-Reply-To: <49343D80.7080901@cisco.com>
References: <mailman.1.1227978001.39019.cisco-nsp@puck.nether.net>	<500660a858matt@melbourne.org.uk>	<20081130182402.GO8535@greenie.muc.de>
	<49332FC0.3000308@jarruda.com> <49343D80.7080901@cisco.com>
Message-ID: <49343FFA.7060205@jarruda.com>

Ian Cox wrote:
> Julio Arruda wrote:
> 
>> I was under impression the L3 forwarding and the L2 forwarding was done
>> by the same engine, in the PFC card(s) ? and behind it, the EARL for the
>> lookup and the rewriting of the header info (mac rewrite, dec ttl and
>> goes on) ?
> 
> PFC/DFC - is the customer facing name for the L2 and L3/L4 forwarding
> engines on the 6500.
> 
> EARL x - is the internal name used to refer to the L2 and L3/L4
> forwarding engine, x being the generation of the forwarding engine. EARL
> generation and PFC/DFC versions do not directly match, but map as follows
> 
> EARL	PFC/DFC
> 5	PFC		Supervisor 1A
> 6	PFC2 / DFC	Supervisor 2
> 7	PFC3 / DFC3	Supervisor 720
> 
> Depending upon the features and the availability of particular ASIC
> processes the forwarding engine has ranged from four ASICs to a single
> ASIC. The exact number varies from generation to generation, and even
> within revisions within a generation.

And I understand Nexus is the EARL8, correct ?
And this would also mean the 3B, 3C and the XLs are all EARL7, but with 
distinct sizes for the TCAMs tied to them ?

There is any document on Cisco website with this level of detail, and 
the other less 'obvious' cards, like the ES20 and the others ?

From chloekcy2000 at yahoo.ca  Mon Dec  1 15:46:49 2008
From: chloekcy2000 at yahoo.ca (chloe K)
Date: Mon, 1 Dec 2008 15:46:49 -0500 (EST)
Subject: [c-nsp] security
Message-ID: <513746.70502.qm@web57414.mail.re1.yahoo.com>

Hi 
   
  I read doc about "no ip direct broadcast"
   
  but I still don't understand.
   
  Can you give me example?
   
  Thank you

       
 
              
---------------------------------
    
       
Yahoo!         Canada Toolbar : Search from anywhere on         the web and bookmark your favourite sites. Download it now!          

From MatlockK at exempla.org  Mon Dec  1 15:53:36 2008
From: MatlockK at exempla.org (Matlock, Kenneth L)
Date: Mon, 1 Dec 2008 13:53:36 -0700
Subject: [c-nsp] security
In-Reply-To: <513746.70502.qm@web57414.mail.re1.yahoo.com>
References: <513746.70502.qm@web57414.mail.re1.yahoo.com>
Message-ID: <4288131ED5E3024C9CD4782CECCAD2C7037AFA84@LMC-MAIL2.exempla.org>

An IP diected broadcast is an IP packet destined for the network or
broadcast address.

So for example let's say you have a subnet of 192.168.1.0/24

192.168.1.0 is the network address.
192.168.1.255 is the broadcast address.

An IP packet destined for 192.168.1.255 (the destination address) would
by default get broadcasted out to all ports in the VLAN/LAN/etc that are
on the 192.168.1.0 network. (something like the FF:FF:FF:FF:FF:FF
address on a Layer 2 segment).

Putting that command in disables that 'feature'.

Ken Matlock
Network Analyst
Exempla Healthcare
(303) 467-4671
matlockk at exempla.org
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of chloe K
Sent: Monday, December 01, 2008 1:47 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] security

Hi 
   
  I read doc about "no ip direct broadcast"
   
  but I still don't understand.
   
  Can you give me example?
   
  Thank you

       
 
              
---------------------------------
    
       
Yahoo!         Canada Toolbar : Search from anywhere on         the web
and bookmark your favourite sites. Download it now!          
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From jay at west.net  Mon Dec  1 16:29:45 2008
From: jay at west.net (Jay Hennigan)
Date: Mon, 01 Dec 2008 13:29:45 -0800
Subject: [c-nsp] security
In-Reply-To: <4288131ED5E3024C9CD4782CECCAD2C7037AFA84@LMC-MAIL2.exempla.org>
References: <513746.70502.qm@web57414.mail.re1.yahoo.com>
	<4288131ED5E3024C9CD4782CECCAD2C7037AFA84@LMC-MAIL2.exempla.org>
Message-ID: <49345749.6060602@west.net>

Matlock, Kenneth L wrote:
> An IP diected broadcast is an IP packet destined for the network or
> broadcast address.
> 
> So for example let's say you have a subnet of 192.168.1.0/24
> 
> 192.168.1.0 is the network address.
> 192.168.1.255 is the broadcast address.
> 
> An IP packet destined for 192.168.1.255 (the destination address) would
> by default get broadcasted out to all ports in the VLAN/LAN/etc that are
> on the 192.168.1.0 network. (something like the FF:FF:FF:FF:FF:FF
> address on a Layer 2 segment).
> 
> Putting that command in disables that 'feature'.

Ken explained it nicely.

The benefit of this from a security standpoint is that it prevents your 
network from becoming a smurf "amplifier".

ICMP is connectionless so can be easily spoofed.  A denial-of-service 
attack called "smurf" consists of sending ICMP ping packets forged with 
the source of your victim to the all-1s broadcast address of a 
well-connected subnet with lots of hosts.   This is a packet directed to 
the broadcast address of the subnet, hence "directed broadcast".  All of 
the hosts on that subnet will then reply to the forged address of the 
victim, which can overwhelm the victim's network and possibly yours or 
one in the middle.

The command "no ip directed-broadcast" causes the router to drop packets 
directed to the broadcast address of the subnet.

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

From lists at hojmark.org  Mon Dec  1 17:04:27 2008
From: lists at hojmark.org (Asbjorn Hojmark - Lists)
Date: Mon, 1 Dec 2008 23:04:27 +0100
Subject: [c-nsp] To OSR7609 or not to OSR7609?
In-Reply-To: <20081130225324.GC72019@gerbil.cluepon.net>
References: <db092ca60811241208j326b5b8fu3b51fd1f72191f86@mail.gmail.com>
	<4A0995FD04B7479B934669112BFF72B9@hojmark.net>
	<20081130225324.GC72019@gerbil.cluepon.net>
Message-ID: <5E11D326F33045C980963046D4C8C4DE@hojmark.net>

>> 12.2 SR doesn't support the OSR 7609 chassis.
>> 12.2 SXF does support it, but is no longer getting new
>> features.
>> 12.2 SXH and newer doesn't support that chassis either.

> OSR is nothing more than an old product name for a 7609
> chassis bundled with a SUP2/MSFC2.

Yes, I saw that comment. Have you actually tried?

A customer told me they'd tried upgrading and had found that
they couldn't. A cisco SE told me the OSR name is burned in
NVRAM, and that the software checks for that.

-A


From lists at hojmark.org  Mon Dec  1 17:05:13 2008
From: lists at hojmark.org (Asbjorn Hojmark - Lists)
Date: Mon, 1 Dec 2008 23:05:13 +0100
Subject: [c-nsp] To OSR7609 or not to OSR7609?
References: <db092ca60811241208j326b5b8fu3b51fd1f72191f86@mail.gmail.com>
	<4A0995FD04B7479B934669112BFF72B9@hojmark.net>
	<20081130225324.GC72019@gerbil.cluepon.net> 
Message-ID: <D0424132C62A4F1E8385513CEF17687F@hojmark.net>

> A customer told me they'd tried upgrading and had found that
> they couldn't. A cisco SE told me the OSR name is burned in
> NVRAM, and that the software checks for that.

Sorry, EEPROM.

-A


From oiyankok at yahoo.ca  Mon Dec  1 20:15:50 2008
From: oiyankok at yahoo.ca (ann kok)
Date: Mon, 1 Dec 2008 17:15:50 -0800 (PST)
Subject: [c-nsp] csm
Message-ID: <829932.59494.qm@web111306.mail.gq1.yahoo.com>

Hi
?
I add port 53 in csm. 
How can I do the health check for this port53
?
Thank you


      __________________________________________________________________
Instant Messaging, free SMS, sharing photos and more... Try the new Yahoo! Canada Messenger at http://ca.beta.messenger.yahoo.com/

From kgraham at industrial-marshmallow.com  Mon Dec  1 20:53:17 2008
From: kgraham at industrial-marshmallow.com (Kevin Graham)
Date: Mon, 1 Dec 2008 17:53:17 -0800 (PST)
Subject: [c-nsp] csm
Message-ID: <810335.96386.qm@web905.biz.mail.mud.yahoo.com>

> I add port 53 in csm. 

> How can I do the health check for this port53

Assuming by "adding port 53" you mean "added a DNS server listening on port 53":

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/4.2.x/configuration/guide/helthmon.html#wp1025212


From nimal at fnbs.net  Mon Dec  1 23:17:19 2008
From: nimal at fnbs.net (Nimal David Sirimanne)
Date: Tue, 02 Dec 2008 12:17:19 +0800
Subject: [c-nsp] Can't configure IP SLA
Message-ID: <4934B6CF.6070607@fnbs.net>

Hi guys,

I've got a new Cisco 3550, and i'm trying to play around with the IP sla 
(IP SLAs - ICMP Echo Operation 
<javascript:openLargePopup('/ITDIT/CFN/Dispatch?act=featdesc&task=display&featureId=1894','FeatureWin',300,400)>). 
I'm pretty sure the IOS is capable of this because i went to Cisco 
feature navigator (http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp) and 
it confirms the IOS image i'm using on this device model should support 
ip sla.

The IOS i'm using is Cisco IOS Software, C3550 Software 
(C3550-IPSERVICESK9-M), Version 12.2(25)SEE1, RELEASE SOFTWARE (fc1)

However, when i go to config mode, i get this:

Switch(config)#ip sla ?
% Unrecognized command

Is there something i need to enable?

Thanks!

Nimal David Sirimanne




From ranmails at gmail.com  Tue Dec  2 00:13:25 2008
From: ranmails at gmail.com (Ran Liebermann)
Date: Tue, 2 Dec 2008 07:13:25 +0200
Subject: [c-nsp] 7600-RSP720-10GE - which IOS ?
In-Reply-To: <42F0C766A9A8DB47B5E86CA64738DC8B01905CC1@bilbo.bdhz.c2c.local>
References: <42F0C766A9A8DB47B5E86CA64738DC8B01905CC1@bilbo.bdhz.c2c.local>
Message-ID: <8c19328e0812012113u37e5dfd4v2f76fcd9f893d0e1@mail.gmail.com>

SRC2 is obviously the least buggy from this list.

--
Ran.


On 11/27/08, Martin Moens <Moens at carrier2carrier.com> wrote:
> Hi list,
>
> I will problably receive a rsp720-3CXL 10G to replace an rsp720-3C-GE later
> this week, and I am curious if any of of you can give me advice on which IOS
> version to go for.. I see I can choose from SRC,SRC1,SRC2 and SRD versions.
> Anyone has good/bad experiences with one of the above?
>
> Tnx,
>
> Martin
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


-- 
Ran Liebermann
VP Engineering, PurePeak
ranl at purepeak.com
http://purepeak.com

From jadavis at cisco.com  Tue Dec  2 00:16:08 2008
From: jadavis at cisco.com (Jason Davis (jadavis))
Date: Tue, 2 Dec 2008 00:16:08 -0500
Subject: [c-nsp] Can't configure IP SLA
Message-ID: <D866A1CA7C82D745A0420D0F9E91A0BE06F2241A@xmb-rtp-205.amer.cisco.com>

 
What do you get from 'show ip sla app' or 'show rtr app'?
You might need the older syntax on that release.
 
If you only see 'show ip sla responder' then the IPServices feature-set
that you are using only has the responder functionality, not the entire
IP SLA code base.  You'd need to move up to something higher...  IP
Plus...Enterprise...
 
===Original Message===
Hi guys,

I've got a new Cisco 3550, and i'm trying to play around with the IP sla

(IP SLAs - ICMP Echo Operation 
<javascript:openLargePopup('/ITDIT/CFN/Dispatch?act=featdesc&task=displa
y&featureId=1894','FeatureWin',300,400)>). 
I'm pretty sure the IOS is capable of this because i went to Cisco 
feature navigator (http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
<http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp> ) and 
it confirms the IOS image i'm using on this device model should support 
ip sla.

The IOS i'm using is Cisco IOS Software, C3550 Software 
(C3550-IPSERVICESK9-M), Version 12.2(25)SEE1, RELEASE SOFTWARE (fc1)

However, when i go to config mode, i get this:

Switch(config)#ip sla ?
% Unrecognized command

Is there something i need to enable?

Thanks!

Nimal David Sirimanne
===
 
= Jason C. Davis / Network Management Consultant 
= Cisco Systems, Inc. - Advanced Services - Central Engineering, Network
Management Team 
= (919)392-8407 office / (919)622-1134 mobile 
 

From john.arden at oryx.cc  Tue Dec  2 00:14:30 2008
From: john.arden at oryx.cc (John Arden)
Date: Mon, 01 Dec 2008 23:14:30 -0600
Subject: [c-nsp] ipv6 6to4 configuration possible on ASA 5500 series?
Message-ID: <4934C436.7000903@oryx.cc>

is it possible to do a ipv6 6to4 configuration on a 5500 series ASA?

All of my CCO, Yahoo and Google searches turn up plenty of sample 
configurations for routers, but nothing for ASA's.

I am using this OS.
---------------------------------------------------------
Cisco Adaptive Security Appliance Software Version 8.0(4)
---------------------------------------------------------


TIA,

John

From rinse.kloek at isp.solcon.nl  Tue Dec  2 02:16:31 2008
From: rinse.kloek at isp.solcon.nl (Rinse Kloek)
Date: Tue, 02 Dec 2008 08:16:31 +0100
Subject: [c-nsp] ASR terminating PPPoE
In-Reply-To: <C558D0E6.3F25%roddy.strachan@staff.netspace.net.au>
References: <C558D0E6.3F25%roddy.strachan@staff.netspace.net.au>
Message-ID: <4934E0CF.1020309@isp.solcon.nl>

Looks like every thousand user uses 1% CPU. What kind of features did 
you enable (BGP/OSP/ACL's ? )


Roddy Strachan schreef:
> Actually testing/implementing one now.
>
> One test we had about 12-13000 sessions on it, CPU was about 12%
>
> That was a rough figure...
>
>
>
> On 30/11/08 9:00 PM, "MKS" <rekordmeister at gmail.com> wrote:
>
>   
>> Hi
>>
>> Has anyone any experience using the ASR 100x as a bras, terminating pppoe.
>> Some traffic/sessions vs CPU load info would be great (on or off list)
>> Cisco clams up to 32.000 session, does that hold?
>>
>> Regards
>> MKS
>>
>>     
>
>
> This email and any files transmitted with it are confidential and intended
>  solely for the use of the individual or entity to whom they are addressed. 
> Please notify the sender immediately by email if you have received this 
> email by mistake and delete this email from your system. Please note that
>  any views or opinions presented in this email are solely those of the
>  author and do not necessarily represent those of the organisation. 
> Finally, the recipient should check this email and any attachments for 
> the presence of viruses. The organisation accepts no liability for any 
> damage caused by any virus transmitted by this email.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   

From simon at pitwood.org  Tue Dec  2 02:37:34 2008
From: simon at pitwood.org (Simon)
Date: Tue, 2 Dec 2008 07:37:34 +0000
Subject: [c-nsp] ipv6 6to4 configuration possible on ASA 5500 series?
In-Reply-To: <4934C436.7000903@oryx.cc>
References: <4934C436.7000903@oryx.cc>
Message-ID: <94DD81A5-4EF8-4C02-8336-D21D1B5B8B9F@pitwood.org>

As far as I know you can't do that, you will need a router in place.

Sent from my iPhone

On 2 Dec 2008, at 05:14, John Arden <john.arden at oryx.cc> wrote:

> is it possible to do a ipv6 6to4 configuration on a 5500 series ASA?
>
> All of my CCO, Yahoo and Google searches turn up plenty of sample  
> configurations for routers, but nothing for ASA's.
>
> I am using this OS.
> ---------------------------------------------------------
> Cisco Adaptive Security Appliance Software Version 8.0(4)
> ---------------------------------------------------------
>
>
> TIA,
>
> John
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From perc69 at gmail.com  Tue Dec  2 05:09:38 2008
From: perc69 at gmail.com (Pelle)
Date: Tue, 2 Dec 2008 11:09:38 +0100
Subject: [c-nsp] PMTUD broken on 12.4(15)Tx (and later)?
Message-ID: <746ca6da0812020209j125c733dm8a22f37e51d2ee69@mail.gmail.com>

Hi.

We do have a customer case using "Client-Initiated L2TP tunneling"
between the LNS and the CPE. Trying to be polite we have used PMTUD on
the pseudowire, and it have caused no pain using 12.4(9)Tx. Recently
one CPE were shipped with 12.4(15)Tx, and suddenly no customer traffic
(Windows hosts) went through the circuit. Does this sound familiar to
someone?

The router used as CPE is a 878, the LNS is a 7200/NPE-G2 running SRC2.

>From the CPE running 12.4(15)T7:

Configuration:
l2tp-class L2TP
 hostname <name>
 password <password>
!
pseudowire-class PW
 encapsulation l2tpv2
 protocol l2tpv2 L2TP
 ip pmtu
 ip dfbit set
!
interface Virtual-PPP62
 ip address negotiated
 ppp authentication pap callin
 ppp pap sent-username <username> password <password>
 ppp ipcp route default
 pseudowire 62.99.1.1 62 pw-class PW


The routing look like:
cpe#sh ip ro
Gateway of last resort is 62.99.4.1 to network 0.0.0.0

     62.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C       62.99.4.1/32 is directly connected, Virtual-PPP62
S       62.99.1.1/32 is directly connected, ATM0.1
C       62.99.2.0/30 is directly connected, ATM0.1
C       62.99.4.43/32 is directly connected, Virtual-PPP62
S*   0.0.0.0/0 [1/0] via 62.99.4.1


When pinging a remote host routed via the Virtual-PPP interface,
everything is shiny until I try the same with the DF-bit set. A "debug
ip icmp" trace is also shown.

cpe#ping 62.2.0.1 repeat 1
Sending 1, 100-byte ICMP Echos to 62.2.0.1, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 4/4/4 ms
syslog: Dec  2 10:26:27 CET: ICMP: echo reply rcvd, src 62.2.0.1, dst
62.99.4.43ping 62.2.0.1 repeat 1 df

cpe#ping 62.2.0.1 repeat 1 df-bit
Sending 1, 100-byte ICMP Echos to 62.2.0.1, timeout is 2 seconds:
Packet sent with the DF bit set
M
Success rate is 0 percent (0/1)
syslog: Dec  2 10:26:33 CET: ICMP: dst (62.99.4.43) frag. needed and
DF set unreachable rcv from 62.2.0.1

The source IP-address in the last ICMP reply is bogus (or buggy).
Sniffing the Vlan carrying the traffic between the CPE and the LNS
clearly reveals NO traffic is leaving the CPE. When pinging without
the DF-bit set, I do see the traffic on the Vlan:

10:26:24.501539 vlan 162, p 0, IP 62.99.2.2.1701 > 62.99.1.1.1701:
l2tp:[OP](20868/52254) {LCP, Echo-Request (0x09), id 104, length 14}
10:26:24.501743 vlan 162, p 0, IP 62.99.1.1.1701 > 62.99.2.2.1701:
l2tp:[OP](33620/1373) {LCP, Echo-Reply (0x0a), id 104, length 14}

<without DF-bit>
10:26:27.530673 vlan 162, p 0, IP 62.99.2.2.1701 > 62.99.1.1.1701:
l2tp:[O](20868/17425) {IP 62.99.4.43 > 62.2.0.1: ICMP echo request, id
47, seq 0, length 80}
10:26:27.531384 vlan 162, p 0, IP 62.99.1.1.1701 > 62.99.2.2.1701:
l2tp:[O](33620/1372) {IP 62.2.0.1 > 62.99.4.43: ICMP echo reply, id
47, seq 0, length 80}
</without DF-bit>

10:26:30.643664 vlan 162, p 0, IP 62.99.2.2.1701 > 62.99.1.1.1701:
l2tp:[OP](20868/17425) {LCP, Echo-Request (0x09), id 105, length 14}
10:26:30.643884 vlan 162, p 0, IP 62.99.1.1.1701 > 62.99.2.2.1701:
l2tp:[OP](33620/1372) {LCP, Echo-Reply (0x0a), id 105, length 14}
10:26:32.600105 vlan 162, p 0, IP 62.99.1.1.1701 > 62.99.2.2.1701:
l2tp:[OP](33620/1372) {LCP, Echo-Request (0x09), id 108, length 14}
10:26:32.603199 vlan 162, p 0, IP 62.99.2.2.1701 > 62.99.1.1.1701:
l2tp:[OP](20868/17425) {LCP, Echo-Reply (0x0a), id 108, length 14}
10:26:32.632030 vlan 162, p 0, IP 62.99.1.1.1701 > 62.99.2.2.1701:
l2tp:[OP](33620/1373) {LCP, Echo-Request (0x09), id 108, length 14}
10:26:32.635035 vlan 162, p 0, IP 62.99.2.2.1701 > 62.99.1.1.1701:
l2tp:[OP](20868/52254) {LCP, Echo-Reply (0x0a), id 108, length 14}

<here the pings with DF-bit set should have been/>

10:26:34.738665 vlan 162, p 0, IP 62.99.2.2.1701 > 62.99.1.1.1701:
l2tp:[OP](20868/52254) {LCP, Echo-Request (0x09), id 105, length 14}
10:26:34.738875 vlan 162, p 0, IP 62.99.1.1.1701 > 62.99.2.2.1701:
l2tp:[OP](33620/1373) {LCP, Echo-Reply (0x0a), id 105, length 14}


Pinging the LNS terminating the L2TP session (which of course is NOT
routed via the Virtual-PPP interface) do work fine:

cpe#ping 62.99.1.1 repeat 1 df-bit
Sending 1, 100-byte ICMP Echos to 62.99.1.1, timeout is 2 seconds:
Packet sent with the DF bit set
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 4/4/4 ms
syslog: Dec  2 10:50:39 CET: ICMP: echo reply rcvd, src 62.99.1.1, dst 62.99.2.2

<sniffer>
10:50:39.508530 vlan 162, p 0, IP 62.99.2.2 > 62.99.1.1: ICMP echo
request, id 50, seq 0, length 80
10:50:39.508870 vlan 162, p 0, IP 62.99.1.1 > 62.99.2.2: ICMP echo
reply, id 50, seq 0, length 80
</sniffer>

If I remove "ip pmtu" from the pseudowire-class, pinging over the
Virtual-PPP session works fine with a set DF-bit.

cpe(config)#pseudowire-class PW
cpe(config-pw-class)#no ip pmtu
cpe(config-pw-class)#end

Dec  2 10:55:34 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Virtual-PPP62, changed state to down
Dec  2 10:55:38 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Virtual-PPP62, changed state to up

cpe#sh int virtual-ppp 62
Virtual-PPP62 is up, line protocol is up
  Hardware is Virtual PPP interface
  Internet address is 62.99.4.44/32

cpe#ping 62.2.0.1 repeat 1 df-bit
Sending 1, 100-byte ICMP Echos to 62.2.0.1, timeout is 2 seconds:
Packet sent with the DF bit set
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 4/4/4 ms
syslog: Dec  2 10:56:50 CET: ICMP: echo reply rcvd, src 62.2.0.1, dst 62.99.4.44

<sniffer>
10:56:50.833757 vlan 162, p 0, IP 62.99.2.2.1701 > 62.99.1.1.1701:
l2tp:[O](20868/47771) {IP 62.99.4.44 > 62.2.0.1: ICMP echo request, id
51, seq 0, length 80}
10:56:50.834445 vlan 162, p 0, IP 62.99.1.1.1701 > 62.99.2.2.1701:
l2tp:[O](33620/1374) {IP 62.2.0.1 > 62.99.4.44: ICMP echo reply, id
51, seq 0, length 80}
</sniffer>

The same behavior is seen on 12.4(20)Tx as well.


Note: The captures are not from a production network, so all
IP-addresses are used in a private context (read: lab environment).
There is no affiliation with neither "Cablecom GmbH" (62.2.0.0/16) nor
"Euskaltel" (62.99.0.0/17).

-- 
Pelle

From zivl at gilat.net  Tue Dec  2 05:36:03 2008
From: zivl at gilat.net (Ziv Leyes)
Date: Tue, 2 Dec 2008 12:36:03 +0200
Subject: [c-nsp] New IPv6 BGP peer on a pure IPv4 network
Message-ID: <EC993E87D960A541A66BF21D62AA42A61F7EBA4F93@exch2k7.gilat.local>

Hi all,
I know this has probably been asked a thousand times. I'm not asking for answers, only for directions on where to start from.
I have a network with three 7200VXR routers running C7200-IS-M Ver. 12.4(13b)
We run a few BGP uplink peers and we're uplink providers to a few many other customers BGP peers, all this in a IPv4 only environment.
I knew this day will come soon, it's like a nightmare above our heads.
One of our biggest customers peer is requiring us to set a IPv6 peer with them.
I need some help in founding any information I need in order to make it work (Hardware, IOS, BGP configuration, IPv4←→IPv6 mixing, consequences, tradeoffs, etc) I have no clue about IPv6, I only know it's a darn big range and a very weird and impossible to remember addresses format (HEXA?).
We still don't have our own IPv6 range, we need to apply for one on RIPE, we don't know which one of our uplink providers support IPv6 either…
Will we be able to perform this task by ourselves or with the lack of knowledge/experience will be better to call someone that knows the job?
Perhaps Hank?

Thanks in advance,

Ziv




 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




From risnaini at indo.net.id  Tue Dec  2 05:59:34 2008
From: risnaini at indo.net.id (a. rahman isnaini r.sutan)
Date: Tue, 02 Dec 2008 17:59:34 +0700
Subject: [c-nsp] New IPv6 BGP peer on a pure IPv4 network
In-Reply-To: <EC993E87D960A541A66BF21D62AA42A61F7EBA4F93@exch2k7.gilat.local>
References: <EC993E87D960A541A66BF21D62AA42A61F7EBA4F93@exch2k7.gilat.local>
Message-ID: <49351516.4080304@indo.net.id>

No need to scare,
7200 VXR is to much I think.
Number of ipv6 prefixes only 1500.

Configuration a bit 'similar' to IPv4, it just your BGP configuration
divided into ipv4 & ipv6 address family.
All policy as well.
What you can do (in Gilat) if your provider doesn't support IPv6 yet (it
might be they did, but only for research not on production ;)) you still
have a choice of BGP6 over tunnel with many free IPv6 tunnel broker
providers (Hurricane Electric for an Example).

a. r. isnaini rangkayo sutan

Ziv Leyes wrote:
> Hi all,
> I know this has probably been asked a thousand times. I'm not asking for answers, only for directions on where to start from.
> I have a network with three 7200VXR routers running C7200-IS-M Ver. 12.4(13b)
> We run a few BGP uplink peers and we're uplink providers to a few many other customers BGP peers, all this in a IPv4 only environment.
> I knew this day will come soon, it's like a nightmare above our heads.
> One of our biggest customers peer is requiring us to set a IPv6 peer with them.
> I need some help in founding any information I need in order to make it work (Hardware, IOS, BGP configuration, IPv4←→IPv6 mixing, consequences, tradeoffs, etc) I have no clue about IPv6, I only know it's a darn big range and a very weird and impossible to remember addresses format (HEXA?).
> We still don't have our own IPv6 range, we need to apply for one on RIPE, we don't know which one of our uplink providers support IPv6 either…
> Will we be able to perform this task by ourselves or with the lack of knowledge/experience will be better to call someone that knows the job?
> Perhaps Hank?
> 
> Thanks in advance,
> 
> Ziv
> 
> 
> 
> 
>  
>  
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
> ************************************************************************************
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> ------------------------------------------------------------------------
> 
> Internal Virus Database is out-of-date.
> Checked by AVG Free Edition. 
> Version: 7.5.516 / Virus Database: 269.17.2/1187 - Release Date: 12/16/2007 11:36 AM

From tim at muppetz.com  Tue Dec  2 05:48:55 2008
From: tim at muppetz.com (TiM)
Date: Tue, 2 Dec 2008 10:48:55 -0000 (GMT)
Subject: [c-nsp] Does traffic routing through a PE get an MPLS label
	added/removed?
Message-ID: <9a630baa19fdd05152f4d6ec6359c9c4.squirrel@muppetz.com>

Hi,

In a recent meeting with our Cisco SE, he told me something that doesn't
seem right to me.  I'm having trouble finding documentation to support
either side though.
Given the following diagram (apologies to console people) -
http://tinyurl.com/cisco-mpls
It's my understanding that traffic leaving Site 4 and heading to Site 1
will route locally through the VRF and not have any MPLS header(s)
added/removed as it routes through PE1.  (Please assume that all sites are
in the _same_ VRF, I realise this Cisco diagram is trying to show two
seperate VRFs.  That's my problem, I can find no real Cisco discussion of
multiple interfaces terminating on the same PE in the same VRF.)

Our Cisco SE says that even routing locally on PE1 from Site 4 to Site 1,
ingress traffic will have an MPLS header added, it will then be routed,
then the MPLS label popped off again and it'll egress towards Site 4. 
This seems wrong to me, I think it must just be a IPv4 fowarding decision.
 Only if traffic was egressing towards Site 3 or Site 2 would it have (2)
MPLS headers attached.

Can anyone point me to Documentation that would answer this question?

I'm sure that ingress traffic is assigned some internal "you're in VRF x"
label, but our SE was clear in stating it would be an MPLS header added
and removed, the same information as if it was egressing towards Site 2/3.

Thanks!

Tim


From swmike at swm.pp.se  Tue Dec  2 06:27:21 2008
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Tue, 2 Dec 2008 12:27:21 +0100 (CET)
Subject: [c-nsp] New IPv6 BGP peer on a pure IPv4 network
In-Reply-To: <EC993E87D960A541A66BF21D62AA42A61F7EBA4F93@exch2k7.gilat.local>
References: <EC993E87D960A541A66BF21D62AA42A61F7EBA4F93@exch2k7.gilat.local>
Message-ID: <alpine.DEB.1.10.0812021224120.18782@uplift.swm.pp.se>

On Tue, 2 Dec 2008, Ziv Leyes wrote:

> Will we be able to perform this task by ourselves or with the lack of 
> knowledge/experience will be better to call someone that knows the job?

IPv6 is not magic. If you can do IPv4 BGP comfortably, you most likely 
have all the necessary basic knowledge to learn IPv6 in a few hours. Your 
7200 will do it in the image you're running and it doesn't really use that 
much more memory or any other resources.

You can start to spend an hour in front of 
<http://www.6diss.org/e-learning/> to get an introduction to IPv6, there 
is also an excellent document at CCO 
<http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/12_4/ipv6_12_4_book.pdf> 
which has what you need and much more.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From gert at greenie.muc.de  Tue Dec  2 06:37:48 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Tue, 2 Dec 2008 12:37:48 +0100
Subject: [c-nsp] New IPv6 BGP peer on a pure IPv4 network
In-Reply-To: <EC993E87D960A541A66BF21D62AA42A61F7EBA4F93@exch2k7.gilat.local>
References: <EC993E87D960A541A66BF21D62AA42A61F7EBA4F93@exch2k7.gilat.local>
Message-ID: <20081202113748.GA8535@greenie.muc.de>

Hi,

On Tue, Dec 02, 2008 at 12:36:03PM +0200, Ziv Leyes wrote:
> I know this has probably been asked a thousand times. I'm not asking for answers, only for directions on where to start from.

Well, my standard answer to IPv6 is 

  " there is nothing magic about it, just the addresses look funny "

so - you need

 - get addresses (from RIPE, very easy, just ask and receive a /32)

 - put IPv6 addresses on your router interconnections
   (/64 networks, pick whatever feels comfortable for the host part)

 - put IPv6 addresses (/128) on your router loopbacks
   (from a set-aside /64 for loopback addresses)

 - decide on an IGP (OSPFv3, ISIS, EIGRPv6), and turn it on
   - use whatever is most similar to the IPv4 IGP you're comfortable with

 - add "address-family ipv6" to your BGP configs, and add "network" and
   "neighbour" statements for iBGP and eBGP peers
   - follow the same rules you do for IPv4 BGP regarding ingress/egress
     filtering, BGP community settings, etc.

 - talk to your upstream providers, tell them you require IPv6, otherwise
   you'll have to change providers.

 - IOS 12.4 is fine for IPv6


 - the trick is: do not despair.  If you know your trade in IPv4, IPv6 
   really is very similar - all the concepts (IGP, iBGP, eBGP, loopback
   addresses, ...) are the *same*.  Just funny-looking addresses.

 - of course there's lots of work in this.

gert

PS: I'm happy to help on the mailing list, if you have specific questions -
and I'm also earning a living by doing consulting work, if you do not want
to have the questions and answers on the mailing list :-)

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081202/49cf9e4c/attachment.bin>

From A.L.M.Buxey at lboro.ac.uk  Tue Dec  2 06:45:20 2008
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Tue, 2 Dec 2008 11:45:20 +0000
Subject: [c-nsp] New IPv6 BGP peer on a pure IPv4 network
In-Reply-To: <20081202113748.GA8535@greenie.muc.de>
References: <EC993E87D960A541A66BF21D62AA42A61F7EBA4F93@exch2k7.gilat.local>
	<20081202113748.GA8535@greenie.muc.de>
Message-ID: <20081202114520.GB7317@lboro.ac.uk>

Hi,

> so - you need

 (nice list of tasks to be undertaken deleted)

- and update all your ACLs etc to account for any SNMP/telnet/ssh/etc
that might be getting to your router via IPv6 

As Gert says, IPv6 work is just like IPv4 work except for the
more funky addresses - oh, and the fact that IPv6 will only
route via newer nicer IGP methods. We're migrating to
ISIS rather than having another OSPF instance to only do
IPv6

alan

From tim at pelican.org  Tue Dec  2 07:15:15 2008
From: tim at pelican.org (Tim Franklin)
Date: Tue, 2 Dec 2008 12:15:15 -0000 (GMT)
Subject: [c-nsp] Does traffic routing through a PE get an MPLS label
 added/removed?
In-Reply-To: <9a630baa19fdd05152f4d6ec6359c9c4.squirrel@muppetz.com>
References: <9a630baa19fdd05152f4d6ec6359c9c4.squirrel@muppetz.com>
Message-ID: <81a79268178e89feb28b8e1860356e4b.squirrel@webmail.pelican.org>

On Tue, December 2, 2008 10:48 am, TiM wrote:

> Can anyone point me to Documentation that would answer this question?
>
> I'm sure that ingress traffic is assigned some internal "you're in VRF x"
> label, but our SE was clear in stating it would be an MPLS header added
> and removed, the same information as if it was egressing towards Site 2/3.

Documentation, no, but an example seems to support that CEF is *not* going
to impose and remove a label:

For a route on the same PE, same VRF:

router#sh ip cef vrf xxx x.x.x.8 detail
x.x.x.8/32, epoch 1
  local label info: other/759
  recursive via x.x.x.66
    recursive via x.x.x.x/30
      attached to Serial4/0/0.1/1/3/2:0

Same VPN, other PE:

router#sh ip cef vrf xxx x.x.x.121 detail
x.x.x.121/32, epoch 1
  recursive via x.x.x.56 label 67
    nexthop x.x.x.34 TenGigabitEthernet9/1 label 16071


Whether some kind of recirculation happens inside the box where it puts a
label on and then takes it off again, I don't know, but I absolutely agree
that it sounds somewhat strange.

Regards,
Tim.



From zivl at gilat.net  Tue Dec  2 07:17:59 2008
From: zivl at gilat.net (Ziv Leyes)
Date: Tue, 2 Dec 2008 14:17:59 +0200
Subject: [c-nsp] New IPv6 BGP peer on a pure IPv4 network
In-Reply-To: <20081202113748.GA8535@greenie.muc.de>
References: <EC993E87D960A541A66BF21D62AA42A61F7EBA4F93@exch2k7.gilat.local>
	<20081202113748.GA8535@greenie.muc.de>
Message-ID: <EC993E87D960A541A66BF21D62AA42A61F7EBA4FD2@exch2k7.gilat.local>

Well, when you say it,  it sounds very simple, the problem is I don't really know the subneting stuff for IPv6, for example.
We don't use any of the IGP you've mentioned in our IPv4 setup, we only have some iBGP  peers between our routers.
Do we HAVE to use OSPF, ISIS or EIGRP or we can still use only iBGP on IPv6 when needed? Remember I'm not moving the whole network to v6, only additional to the current v4.
Let's say I have a circuit connection to one uplink provider and I have a BGP peering between both sides on IPv4 /32 addresses, you suggest that I ask the provider to move to IPv6, what happens then to the whole IPv4 addresses? What happens to other devices that know this IPv4 address and won't know the new IPv6 address? What about the loopback IPs that are used for other peering and stuff?
Is there a way to transfer IPv4 traffic through an IPv6 BGP and vice versa?

Thanks,
Ziv





-----Original Message-----
From: Gert Doering [mailto:gert at greenie.muc.de]
Sent: Tuesday, December 02, 2008 1:38 PM
To: Ziv Leyes
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] New IPv6 BGP peer on a pure IPv4 network

Hi,

On Tue, Dec 02, 2008 at 12:36:03PM +0200, Ziv Leyes wrote:
> I know this has probably been asked a thousand times. I'm not asking for answers, only for directions on where to start from.

Well, my standard answer to IPv6 is

  " there is nothing magic about it, just the addresses look funny "

so - you need

 - get addresses (from RIPE, very easy, just ask and receive a /32)

 - put IPv6 addresses on your router interconnections
   (/64 networks, pick whatever feels comfortable for the host part)

 - put IPv6 addresses (/128) on your router loopbacks
   (from a set-aside /64 for loopback addresses)

 - decide on an IGP (OSPFv3, ISIS, EIGRPv6), and turn it on
   - use whatever is most similar to the IPv4 IGP you're comfortable with

 - add "address-family ipv6" to your BGP configs, and add "network" and
   "neighbour" statements for iBGP and eBGP peers
   - follow the same rules you do for IPv4 BGP regarding ingress/egress
     filtering, BGP community settings, etc.

 - talk to your upstream providers, tell them you require IPv6, otherwise
   you'll have to change providers.

 - IOS 12.4 is fine for IPv6


 - the trick is: do not despair.  If you know your trade in IPv4, IPv6
   really is very similar - all the concepts (IGP, iBGP, eBGP, loopback
   addresses, ...) are the *same*.  Just funny-looking addresses.

 - of course there's lots of work in this.

gert

PS: I'm happy to help on the mailing list, if you have specific questions - and I'm also earning a living by doing consulting work, if you do not want to have the questions and answers on the mailing list :-)

--
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de



 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




From peter at rathlev.dk  Tue Dec  2 07:21:19 2008
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 02 Dec 2008 13:21:19 +0100
Subject: [c-nsp] Can't configure IP SLA
In-Reply-To: <4934B6CF.6070607@fnbs.net>
References: <4934B6CF.6070607@fnbs.net>
Message-ID: <1228220479.18155.37.camel@localhost.localdomain>

On Tue, 2008-12-02 at 12:17 +0800, Nimal David Sirimanne wrote:
> The IOS i'm using is Cisco IOS Software, C3550 Software 
> (C3550-IPSERVICESK9-M), Version 12.2(25)SEE1, RELEASE SOFTWARE (fc1)
> 
> However, when i go to config mode, i get this:
> 
> Switch(config)#ip sla ?
> % Unrecognized command
>
> Is there something i need to enable?

Try "Switch(config)#rtr ?", this is the "old" way of doing IP SLA, which
was known as "Response Time Reporter". The commands were changes
somewhere between 12.2(35)SE and 12.2(40)SE.

Regards,
Peter



From saku+cisco-nsp at ytti.fi  Tue Dec  2 07:33:52 2008
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Tue, 2 Dec 2008 14:33:52 +0200
Subject: [c-nsp] Cisco 7600 vlan issue
In-Reply-To: <49343FFA.7060205@jarruda.com>
References: <mailman.1.1227978001.39019.cisco-nsp@puck.nether.net>
	<500660a858matt@melbourne.org.uk>
	<20081130182402.GO8535@greenie.muc.de>
	<49332FC0.3000308@jarruda.com> <49343D80.7080901@cisco.com>
	<49343FFA.7060205@jarruda.com>
Message-ID: <20081202123352.GB18197@mx.ytti.net>

On (2008-12-01 14:50 -0500), Julio Arruda wrote:

> And I understand Nexus is the EARL8, correct ?
> And this would also mean the 3B, 3C and the XLs are all EARL7, but with  
> distinct sizes for the TCAMs tied to them ?

3C is EARL7.5.

-- 
  ++ytti

From mtinka at globaltransit.net  Tue Dec  2 08:08:54 2008
From: mtinka at globaltransit.net (Mark Tinka)
Date: Tue, 2 Dec 2008 21:08:54 +0800
Subject: [c-nsp] New IPv6 BGP peer on a pure IPv4 network
In-Reply-To: <20081202113748.GA8535@greenie.muc.de>
References: <EC993E87D960A541A66BF21D62AA42A61F7EBA4F93@exch2k7.gilat.local>
	<20081202113748.GA8535@greenie.muc.de>
Message-ID: <200812022108.54766.mtinka@globaltransit.net>

On Tuesday 02 December 2008 19:37:48 Gert Doering wrote:

>  - of course there's lots of work in this.

And not forgetting that you have to tell IOS to route v6 
traffic:

	ipv6 unicast-routing

And also that you'd like it do it via CEF:

	ipv6 cef

It would be nice if Cisco had these on by default.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081202/c4583bd8/attachment.bin>

From leonardo.souza at nec.com.br  Tue Dec  2 08:31:24 2008
From: leonardo.souza at nec.com.br (Leonardo Gama Souza)
Date: Tue, 2 Dec 2008 10:31:24 -0300
Subject: [c-nsp] RES: Does traffic routing through a PE get an MPLS
	labeladded/removed?
In-Reply-To: <9a630baa19fdd05152f4d6ec6359c9c4.squirrel@muppetz.com>
References: <9a630baa19fdd05152f4d6ec6359c9c4.squirrel@muppetz.com>
Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D01D9A64A@spsrvmail03.nec.br>

Hi,

You're right and your SE is wrong.
What he's saying wouldn't be possible as both site 1 and site 4 are out of MPLS domain.
You can see in the VRF routing table the code 'L' (local) and also the VRF CEF table doesn't have any imposed label.
 
 Regards,
Leonardo.
 

-----Mensagem original-----
De: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Em nome de TiM
Enviada em: ter?a-feira, 2 de dezembro de 2008 07:49
Para: cisco-nsp at puck.nether.net
Assunto: [c-nsp] Does traffic routing through a PE get an MPLS labeladded/removed?

Hi,

In a recent meeting with our Cisco SE, he told me something that doesn't seem right to me.  I'm having trouble finding documentation to support either side though.
Given the following diagram (apologies to console people) - http://tinyurl.com/cisco-mpls It's my understanding that traffic leaving Site 4 and heading to Site 1 will route locally through the VRF and not have any MPLS header(s) added/removed as it routes through PE1.  (Please assume that all sites are in the _same_ VRF, I realise this Cisco diagram is trying to show two seperate VRFs.  That's my problem, I can find no real Cisco discussion of multiple interfaces terminating on the same PE in the same VRF.)

Our Cisco SE says that even routing locally on PE1 from Site 4 to Site 1, ingress traffic will have an MPLS header added, it will then be routed, then the MPLS label popped off again and it'll egress towards Site 4. 
This seems wrong to me, I think it must just be a IPv4 fowarding decision.
 Only if traffic was egressing towards Site 3 or Site 2 would it have (2) MPLS headers attached.

Can anyone point me to Documentation that would answer this question?

I'm sure that ingress traffic is assigned some internal "you're in VRF x"
label, but our SE was clear in stating it would be an MPLS header added and removed, the same information as if it was egressing towards Site 2/3.

Thanks!

Tim

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From gert at greenie.muc.de  Tue Dec  2 08:24:38 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Tue, 2 Dec 2008 14:24:38 +0100
Subject: [c-nsp] New IPv6 BGP peer on a pure IPv4 network
In-Reply-To: <20081202114520.GB7317@lboro.ac.uk>
References: <EC993E87D960A541A66BF21D62AA42A61F7EBA4F93@exch2k7.gilat.local>
	<20081202113748.GA8535@greenie.muc.de>
	<20081202114520.GB7317@lboro.ac.uk>
Message-ID: <20081202132438.GB8535@greenie.muc.de>

Hi,

On Tue, Dec 02, 2008 at 11:45:20AM +0000, A.L.M.Buxey at lboro.ac.uk wrote:
> - and update all your ACLs etc to account for any SNMP/telnet/ssh/etc
> that might be getting to your router via IPv6 

Thanks for pointing that out.  Indeed, I've overlooked it - "apply all
security measures that you have for IPv4 to the IPv6 parts as well".

(Telnet/SNMP, interface ACLs, BGP prefix-lists, ...)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081202/938fddf7/attachment.bin>

From gert at greenie.muc.de  Tue Dec  2 08:34:13 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Tue, 2 Dec 2008 14:34:13 +0100
Subject: [c-nsp] New IPv6 BGP peer on a pure IPv4 network
In-Reply-To: <EC993E87D960A541A66BF21D62AA42A61F7EBA4FD2@exch2k7.gilat.local>
References: <EC993E87D960A541A66BF21D62AA42A61F7EBA4F93@exch2k7.gilat.local>
	<20081202113748.GA8535@greenie.muc.de>
	<EC993E87D960A541A66BF21D62AA42A61F7EBA4FD2@exch2k7.gilat.local>
Message-ID: <20081202133413.GC8535@greenie.muc.de>

Hi,

On Tue, Dec 02, 2008 at 02:17:59PM +0200, Ziv Leyes wrote:
> Well, when you say it,  it sounds very simple, the problem is I 
> don't really know the subneting stuff for IPv6, for example.

Well, it's like CIDR in IPv4 - you put aside a number of bits for the
"network" part, and the rest is "host".

In IPv6, it's actually easier, as you don't need to do much thinking - just
make every network a /64, and all loopbacks a /128.  

(This is in line with IETF and RIPE policies, even if it might seem like
"waste" - but there are enough addresses - and even if some folks do it 
differently for one or the other reason.  No need to complicate matters
here).

From RIPE, you will get a /32.

Every customer gets a /48 (65000 of those inside /32).

Every of your POPs gets a /48.

Inside the /48, there's 65000 /64s.  So use them freely, do not worry about
waste here.

[This is simplified, for a "really large" provider, the math is more 
complicated, of course]

> We don't use any of the IGP you've mentioned in our IPv4 setup, we only have some iBGP  peers between our routers.
> Do we HAVE to use OSPF, ISIS or EIGRP or we can still use only iBGP on IPv6 when needed? 

If you don't run any IPv4 IGP today, you can use the same setup for IPv6
(static routes + iBGP + eBGP).

> Remember I'm not moving the whole network to v6, only additional to the current v4.

Just add IPv6 to the existing config.  It will run in parrallel.


> Let's say I have a circuit connection to one uplink provider and I have 
> a BGP peering between both sides on IPv4 /32 addresses, you suggest 
> that I ask the provider to move to IPv6, what happens then to the whole 
> IPv4 addresses? 

Add IPv6, but do not remove IPv4.  Run both in parallel.

This is, for example, how our uplink interface to C&W looks like:

interface Port-channel150
 description GE-Link zu C&W 1273
 ip address 62.xx.xx.162 255.255.255.252
 ip access-group 110 in
 ip flow ingress
 ipv6 address 2001:yyy:yy:yy::2/64
 ipv6 traffic-filter ext-in in
end

the IPv4 part is easy to understand - and the IPv6 part essentially does
the same thing, just with funny numbers, and a named IPv6 ACL.

> What happens to other devices that know this IPv4 address and won't know 
> the new IPv6 address? 

They continue to use IPv4.

> What about the loopback IPs that are used for other peering and stuff?

interface Loopback0
 description Loopback, fuer iBGP
 ip address 193.xx.xx.14 255.255.255.255
 ipv6 address 2001:608:0:zzz::1030/128
 ipv6 ospf 42 area 0
end

- again: add v6, leave the v4 part alone.

> Is there a way to transfer IPv4 traffic through an IPv6 BGP and vice versa?

Yep.  Tunneling - a GRE tunnel (for example) which carries IPv4 inside and
IPv6 outside, or vice versa.

But for a 3-router network it's much easier to enable both protocols in
parallel.  Tunnels are a workaround for underlying infrastructure constraints.


(NB: there's a number of Cisco Press books about IPv6.  I have not yet
looked at one of them, so I can't say anything about the contents - but I've
met the authors and they know what they are talking about - so chances are
quite high that the books are worth looking at)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081202/a5ccb06d/attachment.bin>

From cf at utc.fr  Tue Dec  2 07:34:25 2008
From: cf at utc.fr (Christophe Fillot)
Date: Tue, 02 Dec 2008 13:34:25 +0100
Subject: [c-nsp] Does traffic routing through a PE get an MPLS
	label	added/removed?
In-Reply-To: <9a630baa19fdd05152f4d6ec6359c9c4.squirrel@muppetz.com>
References: <9a630baa19fdd05152f4d6ec6359c9c4.squirrel@muppetz.com>
Message-ID: <49352B51.9010606@utc.fr>

TiM a ?crit :

> I'm sure that ingress traffic is assigned some internal "you're in VRF x"
> label, but our SE was clear in stating it would be an MPLS header added
> and removed, the same information as if it was egressing towards Site 2/3.
>   
IMHO, you're right. Just consider the VRF-lite feature (especially on 
low-end routers where there is no MPLS support), there is no LFIB built 
and no MPLS mechanism used.
I don't see the purpose of adding/removing label on the same box whereas 
the routing decision done by CEF with the FIB is sufficient.

> Thanks!
>
> Tim
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   

From maillist at webjogger.net  Tue Dec  2 09:02:56 2008
From: maillist at webjogger.net (Adam Greene)
Date: Tue, 2 Dec 2008 09:02:56 -0500
Subject: [c-nsp] security
References: <513746.70502.qm@web57414.mail.re1.yahoo.com><4288131ED5E3024C9CD4782CECCAD2C7037AFA84@LMC-MAIL2.exempla.org>
	<49345749.6060602@west.net>
Message-ID: <EDE2016BBC4E4CE3820E94D6524381EE@GINKGO>

How does one get around the side-effect of not allowing broadcasts; i.e. 
wouldn't this break ARP functionality?

----- Original Message ----- 
From: "Jay Hennigan" <jay at west.net>
To: <cisco-nsp at puck.nether.net>
Sent: Monday, December 01, 2008 4:29 PM
Subject: Re: [c-nsp] security


> Matlock, Kenneth L wrote:
>> An IP diected broadcast is an IP packet destined for the network or
>> broadcast address.
>>
>> So for example let's say you have a subnet of 192.168.1.0/24
>>
>> 192.168.1.0 is the network address.
>> 192.168.1.255 is the broadcast address.
>>
>> An IP packet destined for 192.168.1.255 (the destination address) would
>> by default get broadcasted out to all ports in the VLAN/LAN/etc that are
>> on the 192.168.1.0 network. (something like the FF:FF:FF:FF:FF:FF
>> address on a Layer 2 segment).
>>
>> Putting that command in disables that 'feature'.
>
> Ken explained it nicely.
>
> The benefit of this from a security standpoint is that it prevents your 
> network from becoming a smurf "amplifier".
>
> ICMP is connectionless so can be easily spoofed.  A denial-of-service 
> attack called "smurf" consists of sending ICMP ping packets forged with 
> the source of your victim to the all-1s broadcast address of a 
> well-connected subnet with lots of hosts.   This is a packet directed to 
> the broadcast address of the subnet, hence "directed broadcast".  All of 
> the hosts on that subnet will then reply to the forged address of the 
> victim, which can overwhelm the victim's network and possibly yours or one 
> in the middle.
>
> The command "no ip directed-broadcast" causes the router to drop packets 
> directed to the broadcast address of the subnet.
>
> --
> Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
> Impulse Internet Service  -  http://www.impulse.net/
> Your local telephone and internet company - 805 884-6323 - WB6RDV
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> 



From gert at greenie.muc.de  Tue Dec  2 09:28:27 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Tue, 2 Dec 2008 15:28:27 +0100
Subject: [c-nsp] security
In-Reply-To: <EDE2016BBC4E4CE3820E94D6524381EE@GINKGO>
References: <49345749.6060602@west.net>
	<EDE2016BBC4E4CE3820E94D6524381EE@GINKGO>
Message-ID: <20081202142827.GD8535@greenie.muc.de>

Hi,

On Tue, Dec 02, 2008 at 09:02:56AM -0500, Adam Greene wrote:
> How does one get around the side-effect of not allowing broadcasts; i.e. 
> wouldn't this break ARP functionality?

This has no effect on things that happen *inside* the network - it will
just stop converting "IP broadcast -> link level broadcast" for packets
coming from the outside.

ARP is not crossing the router - so: no problem there.

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081202/f60dcfd2/attachment.bin>

From will at harg.net  Tue Dec  2 09:07:03 2008
From: will at harg.net (Will Hargrave)
Date: Tue, 02 Dec 2008 14:07:03 +0000
Subject: [c-nsp] New IPv6 BGP peer on a pure IPv4 network
In-Reply-To: <EC993E87D960A541A66BF21D62AA42A61F7EBA4F93@exch2k7.gilat.local>
References: <EC993E87D960A541A66BF21D62AA42A61F7EBA4F93@exch2k7.gilat.local>
Message-ID: <49354107.5020601@harg.net>

Ziv Leyes wrote:

> I know this has probably been asked a thousand times. I'm not asking for
> answers, only for directions on where to start from.

Hi Ziv,


At NANOG44 I saw Philip Smith / Ron Bonica's excellent tutorial on ipv6 routing:

http://www.nanog.org/meetings/nanog44/abstracts.php?pt=ODgxJm5hbm9nNDQ=&nm=nanog44


I suggest you check presentation archives for NANOG, RIPE, APRICOT meetings for
tutorials and presentations which will help you. There may also be a local
network operators forum in your country with resources.


Whether you can do this by yourself... I don't know. But if you're going to
have to operate the network what better way to learn how than by deploying it
yourselves first! :-)

Regards

Will



From mikie.simpson at gmail.com  Tue Dec  2 09:40:50 2008
From: mikie.simpson at gmail.com (Michael Simpson)
Date: Tue, 2 Dec 2008 14:40:50 +0000
Subject: [c-nsp] security
In-Reply-To: <EDE2016BBC4E4CE3820E94D6524381EE@GINKGO>
References: <513746.70502.qm@web57414.mail.re1.yahoo.com>
	<4288131ED5E3024C9CD4782CECCAD2C7037AFA84@LMC-MAIL2.exempla.org>
	<49345749.6060602@west.net> <EDE2016BBC4E4CE3820E94D6524381EE@GINKGO>
Message-ID: <82abd3a70812020640i4131bd70lfb087d40282d1e59@mail.gmail.com>

On 12/2/08, Adam Greene <maillist at webjogger.net> wrote:
> How does one get around the side-effect of not allowing broadcasts; i.e.
> wouldn't this break ARP functionality?
>
 Not within the subnet
using ethernet arp is only on the local segment and won't traverse the router
no ip directed broadcast stops broadcasts from a different subnet

snipped from <http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_i1g.html#wp1081245>

An IP directed broadcast is an IP packet whose destination address is
a valid broadcast address for some IP subnet, but which originates
from a node that is not itself part of that destination subnet.

A router that is not directly connected to its destination subnet
forwards an IP directed broadcast in the same way it would forward
unicast IP packets destined to a host on that subnet. When a directed
broadcast packet reaches a router that is directly connected to its
destination subnet, that packet is "exploded" as a broadcast on the
destination subnet. The destination address in the IP header of the
packet is rewritten to the configured IP broadcast address for the
subnet, and the packet is sent as a link-layer broadcast.

mike

From gert at greenie.muc.de  Tue Dec  2 09:45:03 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Tue, 2 Dec 2008 15:45:03 +0100
Subject: [c-nsp] New IPv6 BGP peer on a pure IPv4 network
In-Reply-To: <49354107.5020601@harg.net>
References: <EC993E87D960A541A66BF21D62AA42A61F7EBA4F93@exch2k7.gilat.local>
	<49354107.5020601@harg.net>
Message-ID: <20081202144503.GF8535@greenie.muc.de>

Hi,

On Tue, Dec 02, 2008 at 02:07:03PM +0000, Will Hargrave wrote:
> Whether you can do this by yourself... I don't know. 

Be more optimistic :-) - the most difficult part in IPv6 is getting used
to having more-than-enough addresses available.  No more lengthy discussions
on "do I use a /28 or /27 subnet here?"...

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081202/701f2454/attachment.bin>

From trejrco at gmail.com  Tue Dec  2 09:58:02 2008
From: trejrco at gmail.com (TJ)
Date: Tue, 2 Dec 2008 09:58:02 -0500
Subject: [c-nsp] New IPv6 BGP peer on a pure IPv4 network
In-Reply-To: <20081202133413.GC8535@greenie.muc.de>
References: <EC993E87D960A541A66BF21D62AA42A61F7EBA4F93@exch2k7.gilat.local>	<20081202113748.GA8535@greenie.muc.de>	<EC993E87D960A541A66BF21D62AA42A61F7EBA4FD2@exch2k7.gilat.local>
	<20081202133413.GC8535@greenie.muc.de>
Message-ID: <00b901c9548e$60ae61a0$220b24e0$@com>

Gert mentioned a Cisco book or two, let me just toss out a glowing
recommendation for:
	Deploying IPv6, http://tinyurl.com/DeployingIPv6 
	Global IPv6 Strategies, http://tinyurl.com/GIPv6Strategies 
(The first is very technical, very real world / deployment oriented ... the
latter is less technical, more business ("The why's" more than "The how's")
... both are fantastic.)

Also, while on a roll, let me toss out recommendations for a non-Cisco book
or two:
	Migrating to IPv6, http://tinyurl.com/MigratingToIPv6
	IPv6 Essentials, http://tinyurl.com/IPv6Essentials 


Oh, and "Is there a way to transfer IPv4 traffic through an IPv6 BGP and
vice versa?" was asked ... while tunneling is one answer, the question could
also be read to ask about the use of BGP peering over IPv6 while exchanging
IPv4 routes - which also works just fine (with an extra step or two WRT
next-hop attribute setting).



HTH!
/TJ

>-----Original Message-----
>From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
>bounces at puck.nether.net] On Behalf Of Gert Doering
>Sent: Tuesday, December 02, 2008 8:34 AM
>To: Ziv Leyes
>Cc: cisco-nsp at puck.nether.net
>Subject: Re: [c-nsp] New IPv6 BGP peer on a pure IPv4 network
>
>Hi,
>
>On Tue, Dec 02, 2008 at 02:17:59PM +0200, Ziv Leyes wrote:
>> Well, when you say it,  it sounds very simple, the problem is I don't
>> really know the subneting stuff for IPv6, for example.
>
>Well, it's like CIDR in IPv4 - you put aside a number of bits for the
>"network" part, and the rest is "host".
>
>In IPv6, it's actually easier, as you don't need to do much thinking - just
>make every network a /64, and all loopbacks a /128.
>
>(This is in line with IETF and RIPE policies, even if it might seem like
>"waste" - but there are enough addresses - and even if some folks do it
>differently for one or the other reason.  No need to complicate matters
>here).
>
>From RIPE, you will get a /32.
>
>Every customer gets a /48 (65000 of those inside /32).
>
>Every of your POPs gets a /48.
>
>Inside the /48, there's 65000 /64s.  So use them freely, do not worry about
>waste here.
>
>[This is simplified, for a "really large" provider, the math is more
>complicated, of course]
>
>> We don't use any of the IGP you've mentioned in our IPv4 setup, we only
>have some iBGP  peers between our routers.
>> Do we HAVE to use OSPF, ISIS or EIGRP or we can still use only iBGP on
>IPv6 when needed?
>
>If you don't run any IPv4 IGP today, you can use the same setup for IPv6
>(static routes + iBGP + eBGP).
>
>> Remember I'm not moving the whole network to v6, only additional to the
>current v4.
>
>Just add IPv6 to the existing config.  It will run in parrallel.
>
>
>> Let's say I have a circuit connection to one uplink provider and I
>> have a BGP peering between both sides on IPv4 /32 addresses, you
>> suggest that I ask the provider to move to IPv6, what happens then to
>> the whole
>> IPv4 addresses?
>
>Add IPv6, but do not remove IPv4.  Run both in parallel.
>
>This is, for example, how our uplink interface to C&W looks like:
>
>interface Port-channel150
> description GE-Link zu C&W 1273
> ip address 62.xx.xx.162 255.255.255.252  ip access-group 110 in  ip flow
>ingress
> ipv6 address 2001:yyy:yy:yy::2/64
> ipv6 traffic-filter ext-in in
>end
>
>the IPv4 part is easy to understand - and the IPv6 part essentially does
the
>same thing, just with funny numbers, and a named IPv6 ACL.
>
>> What happens to other devices that know this IPv4 address and won't
>> know the new IPv6 address?
>
>They continue to use IPv4.
>
>> What about the loopback IPs that are used for other peering and stuff?
>
>interface Loopback0
> description Loopback, fuer iBGP
> ip address 193.xx.xx.14 255.255.255.255
> ipv6 address 2001:608:0:zzz::1030/128
> ipv6 ospf 42 area 0
>end
>
>- again: add v6, leave the v4 part alone.
>
>> Is there a way to transfer IPv4 traffic through an IPv6 BGP and vice
>versa?
>
>Yep.  Tunneling - a GRE tunnel (for example) which carries IPv4 inside and
>IPv6 outside, or vice versa.
>
>But for a 3-router network it's much easier to enable both protocols in
>parallel.  Tunnels are a workaround for underlying infrastructure
>constraints.
>
>
>(NB: there's a number of Cisco Press books about IPv6.  I have not yet
>looked at one of them, so I can't say anything about the contents - but
I've
>met the authors and they know what they are talking about - so chances are
>quite high that the books are worth looking at)
>
>gert
>--
>USENET is *not* the non-clickable part of WWW!
>
>//www.muc.de/~gert/
>Gert Doering - Munich, Germany
>gert at greenie.muc.de
>fax: +49-89-35655025                        gert at net.informatik.tu-
>muenchen.de


From gert at greenie.muc.de  Tue Dec  2 10:13:32 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Tue, 2 Dec 2008 16:13:32 +0100
Subject: [c-nsp] New IPv6 BGP peer on a pure IPv4 network
In-Reply-To: <00b901c9548e$60ae61a0$220b24e0$@com>
References: <EC993E87D960A541A66BF21D62AA42A61F7EBA4F93@exch2k7.gilat.local>
	<20081202113748.GA8535@greenie.muc.de>
	<EC993E87D960A541A66BF21D62AA42A61F7EBA4FD2@exch2k7.gilat.local>
	<20081202133413.GC8535@greenie.muc.de>
	<00b901c9548e$60ae61a0$220b24e0$@com>
Message-ID: <20081202151332.GG8535@greenie.muc.de>

Hi,

On Tue, Dec 02, 2008 at 09:58:02AM -0500, TJ wrote:
> Gert mentioned a Cisco book or two, let me just toss out a glowing
> recommendation for:
> 	Deploying IPv6, http://tinyurl.com/DeployingIPv6 
> 	Global IPv6 Strategies, http://tinyurl.com/GIPv6Strategies 

Oh, yes.   These are the ones I had in mind :-) - glad to hear that the
books live up to their authors' reputation!

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081202/52967cd1/attachment.bin>

From paul.cosgrove at heanet.ie  Tue Dec  2 10:29:58 2008
From: paul.cosgrove at heanet.ie (Paul Cosgrove)
Date: Tue, 02 Dec 2008 15:29:58 +0000
Subject: [c-nsp] security
In-Reply-To: <82abd3a70812020640i4131bd70lfb087d40282d1e59@mail.gmail.com>
References: <513746.70502.qm@web57414.mail.re1.yahoo.com>	<4288131ED5E3024C9CD4782CECCAD2C7037AFA84@LMC-MAIL2.exempla.org>	<49345749.6060602@west.net>
	<EDE2016BBC4E4CE3820E94D6524381EE@GINKGO>
	<82abd3a70812020640i4131bd70lfb087d40282d1e59@mail.gmail.com>
Message-ID: <49355476.7080808@heanet.ie>

Michael Simpson wrote:
> On 12/2/08, Adam Greene <maillist at webjogger.net> wrote:
>   
>> How does one get around the side-effect of not allowing broadcasts; i.e.
>> wouldn't this break ARP functionality?
>>
>>     
>  Not within the subnet
> using ethernet arp is only on the local segment and won't traverse the router
> no ip directed broadcast stops broadcasts from a different subnet
>
> snipped from <http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_i1g.html#wp1081245>
>
> An IP directed broadcast is an IP packet whose destination address is
> a valid broadcast address for some IP subnet, but which originates
> from a node that is not itself part of that destination subnet.
>
> A router that is not directly connected to its destination subnet
> forwards an IP directed broadcast in the same way it would forward
> unicast IP packets destined to a host on that subnet. When a directed
> broadcast packet reaches a router that is directly connected to its
> destination subnet, that packet is "exploded" as a broadcast on the
> destination subnet. The destination address in the IP header of the
> packet is rewritten to the configured IP broadcast address for the
> subnet, and the packet is sent as a link-layer broadcast.
>
> mike
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>   
Or to put it another way...

Arp uses a destination IP of 255.255.255.255, which  is the 'limited 
broadcasts address'.  Packets with this destination are never routed 
between subnets.
 
Directed broadcast destination IPs begin with a subnet's network prefix, 
so for an interface with IP 192.168.10.1/24 the directed broadcast 
address of its attached subnet is 192.168.10.255.  These can be routed 
between subnets.


Paul.

From gert at greenie.muc.de  Tue Dec  2 10:36:37 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Tue, 2 Dec 2008 16:36:37 +0100
Subject: [c-nsp] security
In-Reply-To: <49355476.7080808@heanet.ie>
References: <513746.70502.qm@web57414.mail.re1.yahoo.com>
	<4288131ED5E3024C9CD4782CECCAD2C7037AFA84@LMC-MAIL2.exempla.org>
	<49345749.6060602@west.net>
	<EDE2016BBC4E4CE3820E94D6524381EE@GINKGO>
	<82abd3a70812020640i4131bd70lfb087d40282d1e59@mail.gmail.com>
	<49355476.7080808@heanet.ie>
Message-ID: <20081202153636.GH8535@greenie.muc.de>

Hi,

On Tue, Dec 02, 2008 at 03:29:58PM +0000, Paul Cosgrove wrote:
> Arp uses a destination IP of 255.255.255.255, which  is the 'limited 
> broadcasts address'.  Packets with this destination are never routed 
> between subnets.

Actually, ARP does *not* use any IP broadcast address at all, neither 
"limited" or "subnet broadcast".

$ tcpdump -v -n -s0 -e 'arp'
16:35:21.981368 0:22:55:93:88:80 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 195.30.1.10 tell 195.30.1.118

... no IP address in here, except source and destination hosts.

Ethernet broadcast, yes.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081202/377e9b40/attachment.bin>

From paul.cosgrove at heanet.ie  Tue Dec  2 10:59:54 2008
From: paul.cosgrove at heanet.ie (Paul Cosgrove)
Date: Tue, 02 Dec 2008 15:59:54 +0000
Subject: [c-nsp] security
In-Reply-To: <20081202153636.GH8535@greenie.muc.de>
References: <513746.70502.qm@web57414.mail.re1.yahoo.com>
	<4288131ED5E3024C9CD4782CECCAD2C7037AFA84@LMC-MAIL2.exempla.org>
	<49345749.6060602@west.net>
	<EDE2016BBC4E4CE3820E94D6524381EE@GINKGO>
	<82abd3a70812020640i4131bd70lfb087d40282d1e59@mail.gmail.com>
	<49355476.7080808@heanet.ie> <20081202153636.GH8535@greenie.muc.de>
Message-ID: <49355B7A.4070807@heanet.ie>

Gert Doering wrote:
> Hi,
>
> On Tue, Dec 02, 2008 at 03:29:58PM +0000, Paul Cosgrove wrote:
>   
>> Arp uses a destination IP of 255.255.255.255, which  is the 'limited 
>> broadcasts address'.  Packets with this destination are never routed 
>> between subnets.
>>     
>
> Actually, ARP does *not* use any IP broadcast address at all, neither 
> "limited" or "subnet broadcast".
>
> $ tcpdump -v -n -s0 -e 'arp'
> 16:35:21.981368 0:22:55:93:88:80 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 195.30.1.10 tell 195.30.1.118
>
> ... no IP address in here, except source and destination hosts.
>
> Ethernet broadcast, yes.
>
> gert
>   

Oops, shouldn't be getting that wrong.  Thanks for the correction and 
appologies for the confusion.

Paul.


From md at bts.sk  Tue Dec  2 11:21:47 2008
From: md at bts.sk (Marian =?utf-8?B?xI51cmtvdmnEjQ==?=)
Date: Tue, 2 Dec 2008 17:21:47 +0100
Subject: [c-nsp] Nexus 7000 fiber 1GBit linecard.
In-Reply-To: <200812011753.mB1Hrf1c005254@racing2.mecon.ar>
References: <200811111449.mABEnfOu030925@racing2.mecon.ar>
	<EAF085CF5B344B42A8551A4482C1ED591013B1F1@RCTR010.tivit.corp>
	<200812011753.mB1Hrf1c005254@racing2.mecon.ar>
Message-ID: <20081202162147.GA73785@bts.sk>

On Mon, Dec 01, 2008 at 02:53:41PM -0300, Juan Angel Menendez wrote:
> 
> 
>         It's already here:  N7K-M148GS-11 Nexus 
> 7000 Series 48-Port Gigabit Ethernet Module (SFP) with 40 Gbps Fabric
> 
>         http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/ps9512/Data_Sheet_C78-437763.html

Hmm, this datasheet shows Time Domain Reflectometry support on 48-port
copper module, but no Digital Optical Monitoring support on fiber module.
So again, fiber connections have less layer-1 monitoring capabilities than
the copper ones...

Is this just a temporary limitation of the initial NX-OS release, 
or do these SFP cards suffer from the same problems as the 6748-SFP
cards for Cat6500 where DOM still doesn't work?


    Thanks & kind regards,

          M. 

From leonardo.souza at nec.com.br  Tue Dec  2 12:56:46 2008
From: leonardo.souza at nec.com.br (Leonardo Gama Souza)
Date: Tue, 2 Dec 2008 14:56:46 -0300
Subject: [c-nsp] VLAN internal usage
Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D01D9A84E@spsrvmail03.nec.br>

Hi there,

I am wondering why I can see some VLANs configured on L3 interfaces in
the internal VLAN usage.
Wasn't it supposed to show up only internal VLANs allocated from the
range 1006-4094? 

For example:

7609#show vlan inter usage
 
VLAN Usage
---- --------------------
20    GigabitEthernet4/1.20
21    GigabitEthernet4/1.21     <<<<<<< new subinterface accounted as
internal vlan
1006 online diag vlan0   
1007 online diag vlan1   
1008 online diag vlan2   
1009 online diag vlan3   
1010 online diag vlan4   
1011 online diag vlan5   
1012 PM vlan process (trunk tagging)
1013 Control Plane Protection
1014 NDE 
1015 Container0
1016 L3 multicast partial shortcuts for VPN 0
1017 Egress internal vlan
1018 Multicast VPN 0 QOS vlan
1019 IPv6 Multicast Egress multicast
1020 GigabitEthernet4/2
1021 GigabitEthernet4/1

PS: Only tested in SRB train.

Thanks in advance.


From booloo at ucsc.edu  Tue Dec  2 12:32:49 2008
From: booloo at ucsc.edu (Mark Boolootian)
Date: Tue, 2 Dec 2008 09:32:49 -0800
Subject: [c-nsp] security
In-Reply-To: <20081202153636.GH8535@greenie.muc.de>
References: <513746.70502.qm@web57414.mail.re1.yahoo.com>
	<4288131ED5E3024C9CD4782CECCAD2C7037AFA84@LMC-MAIL2.exempla.org>
	<49345749.6060602@west.net>
	<EDE2016BBC4E4CE3820E94D6524381EE@GINKGO>
	<82abd3a70812020640i4131bd70lfb087d40282d1e59@mail.gmail.com>
	<49355476.7080808@heanet.ie> <20081202153636.GH8535@greenie.muc.de>
Message-ID: <20081202173249.GB94540@root.ucsc.edu>


> Actually, ARP does *not* use any IP broadcast address at all, neither 
> "limited" or "subnet broadcast".

Because it isn't using IP...

From mleber at he.net  Tue Dec  2 13:13:38 2008
From: mleber at he.net (Mike Leber)
Date: Tue, 02 Dec 2008 10:13:38 -0800
Subject: [c-nsp] New IPv6 BGP peer on a pure IPv4 network
Message-ID: <49357AD2.6040408@he.net>


Hi, if your transit provider doesn't already run native IPv6 you can get
a tunnel at tunnelbroker.net, and you can request BGP via a request BGP
tunnel command once you are logged in.

Once you have IPv6 connectivity established (either native IPv6 or via a
tunnel from anybody) if you want a self teaching procedural guide where
you can setup and test various IPv6 services (HTTP, SMTP, reverse DNS,
forward DNS, host record glue) then you might checkout our free IPv6
certification service at:

http://ipv6.he.net/certification

It's a bit tongue in cheek and meant to be sort of like entertainment
with education for engineers (for example the certification ranks are
from "Newb" to "Sage").  By the time you are done you are done IPv6
won't seem weird.  (In fact, you'll probably be thinking "that's it?!")

We are still adding tests and content as people suggest ideas, so if you
run through it and see a gap you'd like covered, let me know.

Mike.

Ziv Leyes wrote:
> Hi all,
> I know this has probably been asked a thousand times. I'm not asking for answers, only for directions on where to start from.
> I have a network with three 7200VXR routers running C7200-IS-M Ver. 12.4(13b)
> We run a few BGP uplink peers and we're uplink providers to a few many other customers BGP peers, all this in a IPv4 only environment.
> I knew this day will come soon, it's like a nightmare above our heads.
> One of our biggest customers peer is requiring us to set a IPv6 peer with them.
> I need some help in founding any information I need in order to make it work (Hardware, IOS, BGP configuration, IPv4←→IPv6 mixing, consequences, tradeoffs, etc) I have no clue about IPv6, I only know it's a darn big range and a very weird and impossible to remember addresses format (HEXA?).
> We still don't have our own IPv6 range, we need to apply for one on RIPE, we don't know which one of our uplink providers support IPv6 either…
> Will we be able to perform this task by ourselves or with the lack of knowledge/experience will be better to call someone that knows the job?
> Perhaps Hank?
> 
> Thanks in advance,
> 
> Ziv
> 
> 
> 
> 
>  
>  
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
> ************************************************************************************
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
+---------------- H U R R I C A N E - E L E C T R I C ----------------+
| Mike Leber        Wholesale IPv4 and IPv6 Transit      510 580 4100 |
| Hurricane Electric                                           AS6939 |
| mleber at he.net     Internet Backbone & Colocation      http://he.net |
+---------------------------------------------------------------------+


-- 
+---------------- H U R R I C A N E - E L E C T R I C ----------------+
| Mike Leber        Wholesale IPv4 and IPv6 Transit      510 580 4100 |
| Hurricane Electric                                           AS6939 |
| mleber at he.net     Internet Backbone & Colocation      http://he.net |
+---------------------------------------------------------------------+

From ncnet at sbcglobal.net  Tue Dec  2 14:06:54 2008
From: ncnet at sbcglobal.net (Larry Stites)
Date: Tue, 02 Dec 2008 11:06:54 -0800
Subject: [c-nsp] =?iso-8859-1?q?ACE20-MOD-K9_Unknown_=A0_PwrDown?=
In-Reply-To: <20081202173249.GB94540@root.ucsc.edu>
Message-ID: <C55AC74E.129F13%ncnet@sbcglobal.net>

We seem to have a faulty ACE20 MOD. (license SC6K-3.0.0A14-ACE, license
claim & download activation key) The issue we encounter is that the card is
not active on the 6500 switch and even after trying a power enable. So we
can not enter to the configuration terminal of this card.

We are running IOS Version 12.2(18)SXD7 with SUP720-3B within 6509 which
should be sufficient...

If anyone has information that we might be missing please let me know.
 
Show version below
(serial numbers deleted)

All we have is the output for a show module (the card is in the slot 9):
 
Router#sho module
Mod Ports Card Type???? Model????????????? Serial No.
--- ----- -----------------------------------------------------
? 1?? 48? CEF720 48 port 10/100/1000mb Ethernet? WS-X6748-GE-TX????

? 2?? 48? CEF720 48 port 10/100/1000mb Ethernet? WS-X6748-GE-TX????

? 3??? 8? 8 port 1000mb ethernet???????????????? WS-X6408-GBIC?????

? 5??? 2? Supervisor Engine 720 (Active)???????? WS-SUP720-3B??????

? 7??? 6? Firewall Module??????????????????????? WS-SVC-FWM-1??????

? 9??? 1? FRU type (0x6003, 0x39E(926))????????? ACE20-MOD-K9??????

 
Mod MAC addresses??? Hw??? Fw???? Sw????Status
------------- ------ ------------ ---------------------------

9? 001e.f72a.e44e to 001e.f72a.e455?? 2.3?? Unknown? PwrDown

 
Mod Sub-Module???????? Model??????? Serial?????? Hw??Status
--- --------------------------- ------------------ ------------ -------
? 1 Centralized Forwarding Card WS-F6700-CFC??? ?? 4.1??? Ok
? 2 Centralized Forwarding Card WS-F6700-CFC??? ?? 4.0??? Ok
? 5 Policy Feature Card 3?????? WS-F6K-PFC3B??? ?? 2.3??? Ok
? 5 MSFC3 Daughterboard???????? WS-SUP720????????? 2.6??? Ok

 
Mod Online Diag Status
--- -------------------
? 1 Pass
? 2 Pass
? 3 Pass
? 5 Pass
? 7 Pass
? 9 Unknown
Router#
 
 
And the IOS software version of our switch:
 
Router#sho version
Cisco Internetwork Operating System Software
IOS (tm) s72033_rp Software (s72033_rp-PS-M), Version 12.2(18)SXD7, RELEASE
SOFTWARE (fc1)...

ROM: System Bootstrap, Version 12.2(17r)S4, RELEASE SOFTWARE (fc1)
BOOTLDR: s72033_rp Software (s72033_rp-PS-M), Version 12.2(18)SXD7, RELEASE
SOFTWARE (fc1)
 
Router uptime is 12 minutes
Time since Router switched to active is 12 minutes
System returned to ROM by reload at 08:59:34 PDT Thu Oct 18 2007 (SP by
reload) System image file is "sup-bootflash:s72033-ps-mz.122-18.SXD7.bin"
 
cisco WS-C6509 (R7000) processor (revision 3.0) with 458720K/65536K bytes of
memory.
Processor board ID xxxx
SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache
Last reset from s/w reset
X.25 software, Version 3.0.0.
Bridging software.
2 Virtual Ethernet/IEEE 802.3? interface(s)
112 Gigabit Ethernet/IEEE 802.3 interface(s)
1917K bytes of non-volatile configuration memory.
8192K bytes of packet buffer memory.
 
65536K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102


All help is appreciated -


~.~.~.~.~.~.~.~.~.~.~.
Larry Stites
NorCal Networks, Inc.




From achatz at forthnet.gr  Tue Dec  2 14:15:29 2008
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Tue, 02 Dec 2008 21:15:29 +0200
Subject: [c-nsp] ACE20-MOD-K9 Unknown   PwrDown
In-Reply-To: <C55AC74E.129F13%ncnet@sbcglobal.net>
References: <C55AC74E.129F13%ncnet@sbcglobal.net>
Message-ID: <49358951.9010100@forthnet.gr>

You need IOS > 12.2(18)SXF4 for ACE support in 6500/SUP720.

-- 
Tassos

Larry Stites wrote on 02/12/2008 21:06:
> We seem to have a faulty ACE20 MOD. (license SC6K-3.0.0A14-ACE, license
> claim & download activation key) The issue we encounter is that the card is
> not active on the 6500 switch and even after trying a power enable. So we
> can not enter to the configuration terminal of this card.
> 
> We are running IOS Version 12.2(18)SXD7 with SUP720-3B within 6509 which
> should be sufficient...



From peter at rathlev.dk  Tue Dec  2 15:19:12 2008
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 02 Dec 2008 21:19:12 +0100
Subject: [c-nsp] VLAN internal usage
In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D01D9A84E@spsrvmail03.nec.br>
References: <9E07F8717FE8BC4FBAE6860F61EA6C1D01D9A84E@spsrvmail03.nec.br>
Message-ID: <1228249152.3435.2.camel@localhost.localdomain>

On Tue, 2008-12-02 at 14:56 -0300, Leonardo Gama Souza wrote:
> I am wondering why I can see some VLANs configured on L3 interfaces in
> the internal VLAN usage.
> Wasn't it supposed to show up only internal VLANs allocated from the
> range 1006-4094? 
> 
> For example:
> 
> 7609#show vlan inter usage
>  
> VLAN Usage
> ---- --------------------
> 20    GigabitEthernet4/1.20
> 21    GigabitEthernet4/1.21     <<<<<<< new subinterface accounted as

Subinterfaces use "internal VLANs" and are not switched like other
VLANs. If you were using the VLANs as regular switchport VLANs on a
trunk, they wouldn't consume "internal VLANs", but subinterfaces do.

This also means that this VLAN is reserved for exactly that port, and
that you can't use the same VLAN on another physical port. (Cf. the "no
local vlan significance" discussion recently on this list.)

Regards,
Peter



From roddy.strachan at staff.netspace.net.au  Tue Dec  2 16:11:04 2008
From: roddy.strachan at staff.netspace.net.au (Roddy Strachan)
Date: Wed, 03 Dec 2008 08:11:04 +1100
Subject: [c-nsp] ASR terminating PPPoE
In-Reply-To: <4934E0CF.1020309@isp.solcon.nl>
Message-ID: <C55BEF98.4191%roddy.strachan@staff.netspace.net.au>

Rinse,

BGP, OSPF and per use MQOS.




On 2/12/08 6:16 PM, "Rinse Kloek" <rinse.kloek at isp.solcon.nl> wrote:

> Looks like every thousand user uses 1% CPU. What kind of features did you
> enable (BGP/OSP/ACL's ? )
> 
> 
> Roddy Strachan schreef:
>>  
>> Actually testing/implementing one now.
>> 
>> One test we had about 12-13000 sessions on it, CPU was about 12%
>> 
>> That was a rough figure...
>> 
>> 
>> 
>> On 30/11/08 9:00 PM, "MKS" <rekordmeister at gmail.com>
>> <mailto:rekordmeister at gmail.com>  wrote:
>> 
>>   
>>  
>>>  
>>> Hi
>>> 
>>> Has anyone any experience using the ASR 100x as a bras, terminating pppoe.
>>> Some traffic/sessions vs CPU load info would be great (on or off list)
>>> Cisco clams up to 32.000 session, does that hold?
>>> 
>>> Regards
>>> MKS
>>> 
>>>     
 


This email and any files transmitted with it are confidential and intended
 solely for the use of the individual or entity to whom they are addressed. 
Please notify the sender immediately by email if you have received this 
email by mistake and delete this email from your system. Please note that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation. 
Finally, the recipient should check this email and any attachments for 
the presence of viruses. The organisation accepts no liability for any 
damage caused by any virus transmitted by this email.


From ltd at cisco.com  Tue Dec  2 16:43:51 2008
From: ltd at cisco.com (Lincoln Dale)
Date: Wed, 03 Dec 2008 08:43:51 +1100
Subject: [c-nsp] Nexus 7000 fiber 1GBit linecard.
In-Reply-To: <20081202162147.GA73785@bts.sk>
References: <200811111449.mABEnfOu030925@racing2.mecon.ar>	<EAF085CF5B344B42A8551A4482C1ED591013B1F1@RCTR010.tivit.corp>	<200812011753.mB1Hrf1c005254@racing2.mecon.ar>
	<20081202162147.GA73785@bts.sk>
Message-ID: <4935AC17.6040401@cisco.com>

Marian ?urkovi? wrote:
> On Mon, Dec 01, 2008 at 02:53:41PM -0300, Juan Angel Menendez wrote:
>   
>>         It's already here:  N7K-M148GS-11 Nexus 
>> 7000 Series 48-Port Gigabit Ethernet Module (SFP) with 40 Gbps Fabric
>>
>>         http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/ps9512/Data_Sheet_C78-437763.html
>>     
>
> Hmm, this datasheet shows Time Domain Reflectometry support on 48-port
> copper module, but no Digital Optical Monitoring support on fiber module.
> So again, fiber connections have less layer-1 monitoring capabilities than
> the copper ones...
>   
DOM on the 48-port Fiber is there.  (provided the SFP modules support 
it, which all of the listed ones there do).

its output is identical to that of the 32x10G module in terms of DOM 
capabilities:

ltd-n7010-1# show module 2 | grep -i module
Mod  Ports  Module-Type                      Model              Status
2    32     10 Gbps Ethernet Module          N7K-M132XP-12      ok

ltd-n7010-1# show int eth2/1 transceiver details
Ethernet2/1
    sfp is present
    name is CISCO-EXCELIGHT
    part number is SPP5101SR-C1   
    revision is A  
    serial number is ECL121302KT    
    nominal bitrate is 10300 MBits/sec
    Link length supported for 50/125um fiber is 82 m(s)
    Link length supported for 62.5/125um fiber is 26 m(s)
    cisco id is --
    cisco extended id number is 4

    SFP Detail Diagnostics Information
  
----------------------------------------------------------------------------
                                     Alarms                  Warnings
                                High        Low         High          Low
  
----------------------------------------------------------------------------
  Temperature   28.65 C        75.00 C     -5.00 C     70.00 C        0.00 C
  Voltage        3.28 V         3.63 V      2.97 V      3.46 V        3.13 V
  Current        4.90 mA       10.50 mA     2.00 mA    10.50 mA       
2.00 mA
  Tx Power       -3.18 dBm       1.49 dBm  -11.30 dBm   -1.50 dBm     
-7.30 dBm
  Rx Power       -9.28 dBm       1.99 dBm  -13.97 dBm   -1.00 dBm     
-9.91 dBm
  Transmit Fault Count = 0
  
----------------------------------------------------------------------------
  Note: ++  high-alarm; +  high-warning; --  low-alarm; -  low-warning

> Is this just a temporary limitation of the initial NX-OS release, 
> or do these SFP cards suffer from the same problems as the 6748-SFP
> cards for Cat6500 where DOM still doesn't work?
>   

the hardware was designed with DOM in mind from day one.



cheers,

lincoln.

From leonardo.souza at nec.com.br  Tue Dec  2 18:46:53 2008
From: leonardo.souza at nec.com.br (Leonardo Gama Souza)
Date: Tue, 2 Dec 2008 20:46:53 -0300
Subject: [c-nsp] RES:  VLAN internal usage
In-Reply-To: <1228249152.3435.2.camel@localhost.localdomain>
References: <9E07F8717FE8BC4FBAE6860F61EA6C1D01D9A84E@spsrvmail03.nec.br>
	<1228249152.3435.2.camel@localhost.localdomain>
Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D01DC96C7@spsrvmail03.nec.br>

Hi Peter,


> Subinterfaces use "internal VLANs" and are not switched like other
> VLANs. If you were using the VLANs as regular switchport VLANs on a
> trunk, they wouldn't consume "internal VLANs", but subinterfaces do.

So the command 'show platform hardware capacity vlan' should be tracking
the free internal VLANs, but this is not happening:

7609#show platform hardware capacity vlan 
VLAN Resources
  VLANs: 4094 total, 68 VTP, 0 extended, 16 internal, 4010 free

As subinterfaces use "internal VLANs", I am actually using 18 internal
VLANs here. It seems this command is only tracking the "internal VLANs"
in the range 1006-4094 (automatically allocated by IOS).
Am I missing anything?

Regards,
Leonardo.

From peter at rathlev.dk  Tue Dec  2 19:44:02 2008
From: peter at rathlev.dk (Peter Rathlev)
Date: Wed, 03 Dec 2008 01:44:02 +0100
Subject: [c-nsp] RES:  VLAN internal usage
In-Reply-To: <9E07F8717FE8BC4FBAE6860F61EA6C1D01DC96C7@spsrvmail03.nec.br>
References: <9E07F8717FE8BC4FBAE6860F61EA6C1D01D9A84E@spsrvmail03.nec.br>
	<1228249152.3435.2.camel@localhost.localdomain>
	<9E07F8717FE8BC4FBAE6860F61EA6C1D01DC96C7@spsrvmail03.nec.br>
Message-ID: <1228265042.5741.5.camel@localhost.localdomain>

Hi,

On Tue, 2008-12-02 at 20:46 -0300, Leonardo Gama Souza wrote:
> So the command 'show platform hardware capacity vlan' should be tracking
> the free internal VLANs, but this is not happening:
> 
> 7609#show platform hardware capacity vlan 
> VLAN Resources
>   VLANs: 4094 total, 68 VTP, 0 extended, 16 internal, 4010 free
> 
> As subinterfaces use "internal VLANs", I am actually using 18 internal
> VLANs here. It seems this command is only tracking the "internal VLANs"
> in the range 1006-4094 (automatically allocated by IOS).
> Am I missing anything?

Interesting; you are quite right: I tried moving a sub-interface between
"encapsulation dot1q 6" and "encapsulation dot1q 3800", and the output
changed:

Switch(config-subif)#int gi4/8.6
Switch(config-subif)#enc dot 6
Switch(config-subif)#do sh pla har cap vl       
VLAN Resources
  VLANs: 4094 total, 130 VTP, 58 extended, 22 internal, 3884 free
Switch(config-subif)#enc dot 3800        
Switch(config-subif)#do sh pla har cap vl
VLAN Resources
  VLANs: 4094 total, 130 VTP, 58 extended, 23 internal, 3883 free
Switch(config-subif)#

So if I use VLAN 6, I have an extra VLAN. I'm scheduling a service
window a.s.a.p.! :-)

(Or more realistically the output from the command is wrong...)

Regards,
Peter



From nimal at fnbs.net  Tue Dec  2 22:08:16 2008
From: nimal at fnbs.net (Nimal David Sirimanne)
Date: Wed, 03 Dec 2008 11:08:16 +0800
Subject: [c-nsp] %AMDP2_FE-3-UNDERFLO: FastEthernet1/0 transmit error
Message-ID: <4935F820.2060002@fnbs.net>

Hi guys,

Can anyone give me any insight into this problem? When i do a sh log on 
my 7206, is always see multiple entries for this error:

Dec  3 01:48:04.145: %AMDP2_FE-3-UNDERFLO: FastEthernet1/0 transmit error
Dec  3 01:53:24.238: %AMDP2_FE-3-UNDERFLO: FastEthernet1/0 transmit error
Dec  3 02:25:58.301: %AMDP2_FE-3-UNDERFLO: FastEthernet1/0 transmit error
Dec  3 02:52:48.477: %AMDP2_FE-3-UNDERFLO: FastEthernet1/0 transmit error


I have a 7206 running a interface with multiple subif (fa1/0) to a 3550 
running a trunk (giga0/9). We used to get this error before when we were 
using a 2950, before it got replaced by this 3550. I saw a previous 
thread about this, and the problem was because duplex configuration was 
inconsistent on the 2 connected interfaces, but that doesn't seem to be 
the case here?

7206:
interface FastEthernet1/0
 no ip address
 no ip mroute-cache
 duplex full
 no cdp enable
!
interface FastEthernet1/0.1
  encapsulation dot1Q 110
 ip address X.X.X.X 255.255.255.248
 ip access-group PERMIT_FREENET in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip mroute-cache
 no cdp enable
!
interface FastEthernet1/0.2
  encapsulation dot1Q 109
 ip address X.X.X.Y 255.255.255.252
 ip access-group ANTI_SPOOF_INGRESS in
 no ip unreachables
 no ip proxy-arp
 no ip mroute-cache
 no cdp enable
!        
interface FastEthernet1/0.3
  encapsulation dot1Q 111
 ip address X.X.Y.Y 255.255.255.192
  no ip unreachables
 no ip proxy-arp
  no ip mroute-cache
 no cdp enable
!        
interface FastEthernet1/0.4
  encapsulation dot1Q 113
 ip address X.X.X.Z 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip mroute-cache
 no cdp enable
!        
interface FastEthernet1/0.5
  encapsulation dot1Q 112
 ip address X.X.W.W 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip mroute-cache
 no cdp enable
!        
interface FastEthernet1/0.6
 encapsulation dot1Q 201
 ip address X.X.V.V 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip mroute-cache
 no cdp enable

3550:
interface GigabitEthernet0/9
 description **** Trunk to 7206 ****
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,109-113,201
 switchport mode trunk
 duplex full

Thanks!

Nimal David Sirimanne

From td_miles at yahoo.com  Tue Dec  2 23:04:42 2008
From: td_miles at yahoo.com (Tony)
Date: Tue, 2 Dec 2008 20:04:42 -0800 (PST)
Subject: [c-nsp] %AMDP2_FE-3-UNDERFLO: FastEthernet1/0 transmit error
In-Reply-To: <4935F820.2060002@fnbs.net>
Message-ID: <744173.69992.qm@web110116.mail.gq1.yahoo.com>


First hit on google search:

http://supportwiki.cisco.com/ViewWiki/index.php/A_Catalyst_switch_causes_the_AMDP2_FE-3-UNDERFLO_error_on_a_connected_device

========
A Catalyst switch causes the %AMDP2_FE-3-UNDERFLO error on a connected device


While a frame is being transmitted, the local buffer of the controller chip local buffer receives insufficient data. The data could not be transferred to the chip fast enough to keep pace with output rate. Normally, such a condition is temporary, depending on transient peak loads within the system.

The issue occurs when an excessive amount oftraffic is processed by the FastEthernet interface. The error message is received When traffic level reaches about 2.5 Mb. This traffic level constrain is due to hardware limitation.. Because of this there is a chance for the device connected to the catalyst switch to drop packets.
========


regards,
Tony.

--- On Wed, 3/12/08, Nimal David Sirimanne <nimal at fnbs.net> wrote:

> From: Nimal David Sirimanne <nimal at fnbs.net>
> Subject: [c-nsp] %AMDP2_FE-3-UNDERFLO: FastEthernet1/0 transmit error
> To: cisco-nsp at puck.nether.net
> Date: Wednesday, 3 December, 2008, 2:08 PM
> Hi guys,
> 
> Can anyone give me any insight into this problem? When i do
> a sh log on my 7206, is always see multiple entries for this
> error:
> 
> Dec  3 01:48:04.145: %AMDP2_FE-3-UNDERFLO: FastEthernet1/0
> transmit error
> Dec  3 01:53:24.238: %AMDP2_FE-3-UNDERFLO: FastEthernet1/0
> transmit error
> Dec  3 02:25:58.301: %AMDP2_FE-3-UNDERFLO: FastEthernet1/0
> transmit error
> Dec  3 02:52:48.477: %AMDP2_FE-3-UNDERFLO: FastEthernet1/0
> transmit error
> 
> 
> I have a 7206 running a interface with multiple subif
> (fa1/0) to a 3550 running a trunk (giga0/9). We used to get
> this error before when we were using a 2950, before it got
> replaced by this 3550. I saw a previous thread about this,
> and the problem was because duplex configuration was
> inconsistent on the 2 connected interfaces, but that
> doesn't seem to be the case here?
> 
> 7206:
> interface FastEthernet1/0
> no ip address
> no ip mroute-cache
> duplex full
> no cdp enable
> !
> interface FastEthernet1/0.1
>  encapsulation dot1Q 110
> ip address X.X.X.X 255.255.255.248
> ip access-group PERMIT_FREENET in
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> no ip mroute-cache
> no cdp enable
> !
> interface FastEthernet1/0.2
>  encapsulation dot1Q 109
> ip address X.X.X.Y 255.255.255.252
> ip access-group ANTI_SPOOF_INGRESS in
> no ip unreachables
> no ip proxy-arp
> no ip mroute-cache
> no cdp enable
> !        interface FastEthernet1/0.3
>  encapsulation dot1Q 111
> ip address X.X.Y.Y 255.255.255.192
>  no ip unreachables
> no ip proxy-arp
>  no ip mroute-cache
> no cdp enable
> !        interface FastEthernet1/0.4
>  encapsulation dot1Q 113
> ip address X.X.X.Z 255.255.255.240
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> no ip mroute-cache
> no cdp enable
> !        interface FastEthernet1/0.5
>  encapsulation dot1Q 112
> ip address X.X.W.W 255.255.255.240
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> no ip mroute-cache
> no cdp enable
> !        interface FastEthernet1/0.6
> encapsulation dot1Q 201
> ip address X.X.V.V 255.255.255.240
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> no ip mroute-cache
> no cdp enable
> 
> 3550:
> interface GigabitEthernet0/9
> description **** Trunk to 7206 ****
> switchport trunk encapsulation dot1q
> switchport trunk allowed vlan 1,109-113,201
> switchport mode trunk
> duplex full
> 
> Thanks!
> 
> Nimal David Sirimanne
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


      


From mtinka at globaltransit.net  Wed Dec  3 00:57:20 2008
From: mtinka at globaltransit.net (Mark Tinka)
Date: Wed, 3 Dec 2008 13:57:20 +0800
Subject: [c-nsp] Cisco VPN Client Causes Mac OS X Crash
Message-ID: <200812031357.24415.mtinka@globaltransit.net>

Probably a little off-topic for this list, but wondering if 
anyone else is registering random but frequent crashes 
and/or lock-ups of Mac OS X 10.5.5 when using Cisco VPN 
Client 4.9.01 (0100).

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081203/62e7ed3f/attachment.bin>

From sukumars at cisco.com  Wed Dec  3 02:05:35 2008
From: sukumars at cisco.com (Sukumar Subburayan (sukumars))
Date: Tue, 2 Dec 2008 23:05:35 -0800
Subject: [c-nsp] RES:  VLAN internal usage
In-Reply-To: <1228265042.5741.5.camel@localhost.localdomain>
References: <9E07F8717FE8BC4FBAE6860F61EA6C1D01D9A84E@spsrvmail03.nec.br><1228249152.3435.2.camel@localhost.localdomain><9E07F8717FE8BC4FBAE6860F61EA6C1D01DC96C7@spsrvmail03.nec.br>
	<1228265042.5741.5.camel@localhost.localdomain>
Message-ID: <BB87E6B2C147324A859C6ABDB1C1930E088A941A@xmb-sjc-22d.amer.cisco.com>

It is a bug.. We will file one to get it fixed.

sukumar

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Rathlev
Sent: Wednesday, December 03, 2008 6:14 AM
To: cisco-nsp
Subject: Re: [c-nsp] RES: VLAN internal usage

Hi,

On Tue, 2008-12-02 at 20:46 -0300, Leonardo Gama Souza wrote:
> So the command 'show platform hardware capacity vlan' should be 
> tracking the free internal VLANs, but this is not happening:
> 
> 7609#show platform hardware capacity vlan VLAN Resources
>   VLANs: 4094 total, 68 VTP, 0 extended, 16 internal, 4010 free
> 
> As subinterfaces use "internal VLANs", I am actually using 18 internal

> VLANs here. It seems this command is only tracking the "internal
VLANs"
> in the range 1006-4094 (automatically allocated by IOS).
> Am I missing anything?

Interesting; you are quite right: I tried moving a sub-interface between
"encapsulation dot1q 6" and "encapsulation dot1q 3800", and the output
changed:

Switch(config-subif)#int gi4/8.6
Switch(config-subif)#enc dot 6
Switch(config-subif)#do sh pla har cap vl       
VLAN Resources
  VLANs: 4094 total, 130 VTP, 58 extended, 22 internal, 3884 free
Switch(config-subif)#enc dot 3800        
Switch(config-subif)#do sh pla har cap vl VLAN Resources
  VLANs: 4094 total, 130 VTP, 58 extended, 23 internal, 3883 free
Switch(config-subif)#

So if I use VLAN 6, I have an extra VLAN. I'm scheduling a service
window a.s.a.p.! :-)

(Or more realistically the output from the command is wrong...)

Regards,
Peter


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From zivl at gilat.net  Wed Dec  3 02:41:37 2008
From: zivl at gilat.net (Ziv Leyes)
Date: Wed, 3 Dec 2008 09:41:37 +0200
Subject: [c-nsp] New IPv6 BGP peer on a pure IPv4 network
In-Reply-To: <49357AD2.6040408@he.net>
References: <49357AD2.6040408@he.net>
Message-ID: <EC993E87D960A541A66BF21D62AA42A61F7EBA512C@exch2k7.gilat.local>

Thank you all for your replies, it gave me a lot of clues and points to start from.

Ziv







-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike Leber
Sent: Tuesday, December 02, 2008 8:14 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] New IPv6 BGP peer on a pure IPv4 network


Hi, if your transit provider doesn't already run native IPv6 you can get a tunnel at tunnelbroker.net, and you can request BGP via a request BGP tunnel command once you are logged in.

Once you have IPv6 connectivity established (either native IPv6 or via a tunnel from anybody) if you want a self teaching procedural guide where you can setup and test various IPv6 services (HTTP, SMTP, reverse DNS, forward DNS, host record glue) then you might checkout our free IPv6 certification service at:

http://ipv6.he.net/certification

It's a bit tongue in cheek and meant to be sort of like entertainment with education for engineers (for example the certification ranks are from "Newb" to "Sage").  By the time you are done you are done IPv6 won't seem weird.  (In fact, you'll probably be thinking "that's it?!")

We are still adding tests and content as people suggest ideas, so if you run through it and see a gap you'd like covered, let me know.

Mike.

Ziv Leyes wrote:
> Hi all,
> I know this has probably been asked a thousand times. I'm not asking for answers, only for directions on where to start from.
> I have a network with three 7200VXR routers running C7200-IS-M Ver.
> 12.4(13b) We run a few BGP uplink peers and we're uplink providers to a few many other customers BGP peers, all this in a IPv4 only environment.
> I knew this day will come soon, it's like a nightmare above our heads.
> One of our biggest customers peer is requiring us to set a IPv6 peer with them.
> I need some help in founding any information I need in order to make it work (Hardware, IOS, BGP configuration, IPv4←→IPv6 mixing, consequences, tradeoffs, etc) I have no clue about IPv6, I only know it's a darn big range and a very weird and impossible to remember addresses format (HEXA?).
> We still don't have our own IPv6 range, we need to apply for one on
> RIPE, we don't know which one of our uplink providers support IPv6 either… Will we be able to perform this task by ourselves or with the lack of knowledge/experience will be better to call someone that knows the job?
> Perhaps Hank?
>
> Thanks in advance,
>
> Ziv
>
>
>
>
>
>
> **********************************************************************
> ************** This footnote confirms that this email message has been
> scanned by PineApp Mail-SeCure for the presence of malicious code,
> vandals & computer viruses.
> **********************************************************************
> **************
>
>
>
>
>
> ----------------------------------------------------------------------
> --
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

--
+---------------- H U R R I C A N E - E L E C T R I C ----------------+
| Mike Leber        Wholesale IPv4 and IPv6 Transit      510 580 4100 |
| Hurricane Electric                                           AS6939 |
| mleber at he.net     Internet Backbone & Colocation      http://he.net |
+---------------------------------------------------------------------+


--
+---------------- H U R R I C A N E - E L E C T R I C ----------------+
| Mike Leber        Wholesale IPv4 and IPv6 Transit      510 580 4100 |
| Hurricane Electric                                           AS6939 |
| mleber at he.net     Internet Backbone & Colocation      http://he.net |
+---------------------------------------------------------------------+






************************************************************************************
This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************





 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




From sigurbjornl at vodafone.is  Wed Dec  3 06:10:26 2008
From: sigurbjornl at vodafone.is (=?ISO-8859-1?B?U2lndXJiavZybg==?= Birkir =?ISO-8859-1?B?TOFydXNzb24=?=)
Date: Wed, 03 Dec 2008 11:10:26 +0000
Subject: [c-nsp] Cisco VPN Client Causes Mac OS X Crash
In-Reply-To: <200812031357.24415.mtinka@globaltransit.net>
Message-ID: <C55C19A2.E3E2%sigurbjornl@vodafone.is>

I've used it on a daily-basis with 10.5.5 and previous releases for a long
time and have never had it crash the machine.

BR,
Sibbi


On 3.12.2008 05:57, "Mark Tinka" <mtinka at globaltransit.net> wrote:

> Probably a little off-topic for this list, but wondering if
> anyone else is registering random but frequent crashes
> and/or lock-ups of Mac OS X 10.5.5 when using Cisco VPN
> Client 4.9.01 (0100).
> 
> Cheers,
> 
> Mark.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From hegedus.gabor at euroway.hu  Wed Dec  3 07:51:05 2008
From: hegedus.gabor at euroway.hu (Hegedus Gabor)
Date: Wed, 03 Dec 2008 13:51:05 +0100
Subject: [c-nsp] cisco wifi problem
Message-ID: <493680B9.90604@euroway.hu>

Hi all!

I have a problem with my cisco 851w device.

When i try to connect to the wifi (eith correct key), this comes to the 
consol:

*Mar  1 2002 11:18:16.047 CET: *** Not encrypted dot1x packet from 
00c0.a8aa.3955 has been discarded
*Mar  1 2002 11:18:16.051 CET: *** Not encrypted dot1x packet from 
00c0.a8aa.3955 has been discarded
*Mar  1 2002 11:18:16.059 CET: *** Not encrypted dot1x packet from 
00c0.a8aa.3955 has been discarded
*Mar  1 2002 11:18:16.059 CET: *** Not encrypted dot1x packet from 
00c0.a8aa.3955 has been discarded

the authentication is okay cos the wireless pc tells me "connected"

and I don't know what is the problem... and how can i fix it.
here is the config:

no aaa new-model
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 
3:00            
!                                   
!
crypto pki trustpoint 
TP-self-signed-4226531652                                
 enrollment 
selfsigned                                                         
 subject-name 
cn=IOS-Self-Signed-Certificate-4226531652                        
 revocation-check 
none                                                         
 rsakeypair 
TP-self-signed-4226531652                                          
!                                          
!   
crypto pki certificate chain TP-self-signed-4226531652        
 certificate self-signed 01                     
  30820344 ...                
quit                                                                   
crypto ctcp       
!                                                          
dot11 ssid 
Hrth                                                             
   authentication 
open                                                         
   authentication key-management 
wpa                                           
   
guest-mode                                                                   

   
infrastructure-ssid                                                          

   wpa-psk ascii 7 *****                                          
!                                                                               

no ip dhcp use vrf 
connected                                                   
ip dhcp excluded-address 192.168.0.1 
192.168.0.49                              
ip dhcp excluded-address 192.168.0.70 
192.168.0.255                            
!                                                                               

ip dhcp pool 
LAN                                                               
   import 
all                                                                  
   network 192.168.0.0 
255.255.255.0                                           
   default-router 
192.168.0.1                                                  
   lease 0 
2                                                                   
!                                                                               

ip dhcp pool 
Wireless                                                          
   import 
all                                                                  
   network 192.168.1.0 
255.255.255.0                                           
   default-router 
192.168.1.254                                                
   lease 0 
2                                                                   
!                                   
!                                                
ip cef                                          
no ip domain 
lookup                                                            
!                                                                               

vpdn 
enable                                                                    
!                                                                               

!                                                                               

!                                                                               

username asdaew privilege 15 secret 5 *****          
archive                                                                         

 log 
config                                                                    
  
hidekeys                                                                      

!                                                                               

!                                                                               

ip ssh source-interface 
Vlan1                                                  
ip ssh logging 
events                                                          
ip ssh version 
2                                                               
!                                                                               

!                                                                              

interface 
FastEthernet4                                                        
 no ip 
address                                                                 
 ip tcp adjust-mss 
1452                                                        
 duplex 
auto                                                                   
 speed 
auto                                                                    
 pppoe enable group 
global                                                     
 pppoe-client dial-pool-number 
1                                               
!                                                                               

interface 
Dot11Radio0                                                          
 ip address 192.168.1.254 
255.255.255.0                                        
 encryption mode ciphers 
tkip                                                  
 broadcast-key change 
100000                                                   
 ssid 
Hrth                                                                  
 speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 
basic-12.0 0
 station-role 
root                                                             
!                                                                               

interface 
Vlan1                                                                
 ip address 197.1.155.250 255.255.255.0 
secondary                              
 ip address 192.168.0.1 
255.255.255.0                                          
 no ip 
proxy-arp                                                               
 ip inspect vlan_1_out 
out                                                     
 ip 
virtual-reassembly                                                         
 ip tcp adjust-mss 
1452                                                        
!                                                                               

interface 
Dialer0                                                              
 bandwidth 
512                                                                 
 ip address 
negotiated                                                         
 ip access-group 101 
in                                                        
 ip inspect dialer_0_out 
out                                                   
 ip nat 
outside                                                                
 ip 
virtual-reassembly                                                         
 encapsulation 
ppp                                                             
 load-interval 
30                                                              
 dialer pool 
1                                                                 
 dialer-group 
1                                                                
 no cdp 
enable                                                                 
 ppp authentication pap 
callin                                                 
 ppp pap sent-username **@** password 7 ****            
!                                                                               

ip route 0.0.0.0 0.0.0.0 
Dialer0                                               
ip route 197.0.0.0 255.0.0.0 
197.1.155.254                                     
!                                                                               

no ip http 
server                                                              
ip http authentication 
local                                                   
ip http 
secure-server                                                          
ip http secure-port 
50443                                                      
ip http timeout-policy idle 60 life 86400 requests 
10000                       
ip nat inside source list 180 interface Dialer0 
overload                       
!                                                                               

dialer-list 1 protocol ip 
permit                                               
no cdp 
run                                                                     
!                                                                                                               

end                                                                             


pls help thx Gabor

From maillist at webjogger.net  Wed Dec  3 09:14:29 2008
From: maillist at webjogger.net (Adam Greene)
Date: Wed, 3 Dec 2008 09:14:29 -0500
Subject: [c-nsp] security
References: <513746.70502.qm@web57414.mail.re1.yahoo.com><4288131ED5E3024C9CD4782CECCAD2C7037AFA84@LMC-MAIL2.exempla.org><49345749.6060602@west.net><EDE2016BBC4E4CE3820E94D6524381EE@GINKGO><82abd3a70812020640i4131bd70lfb087d40282d1e59@mail.gmail.com><49355476.7080808@heanet.ie>
	<20081202153636.GH8535@greenie.muc.de>
	<20081202173249.GB94540@root.ucsc.edu>
Message-ID: <47A1B7D9994F4BB3B82C06E887951124@GINKGO>

Thanks for helping me brush up on basic networking! :)

Under what circumstances would directed broadcast actually be a useful 
feature?

----- Original Message ----- 
From: "Mark Boolootian" <booloo at ucsc.edu>
To: <cisco-nsp at puck.nether.net>
Sent: Tuesday, December 02, 2008 12:32 PM
Subject: Re: [c-nsp] security


>
>> Actually, ARP does *not* use any IP broadcast address at all, neither
>> "limited" or "subnet broadcast".
>
> Because it isn't using IP...
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> 



From tdurack at gmail.com  Wed Dec  3 09:23:49 2008
From: tdurack at gmail.com (Tim Durack)
Date: Wed, 3 Dec 2008 09:23:49 -0500
Subject: [c-nsp] security
In-Reply-To: <47A1B7D9994F4BB3B82C06E887951124@GINKGO>
References: <513746.70502.qm@web57414.mail.re1.yahoo.com>
	<4288131ED5E3024C9CD4782CECCAD2C7037AFA84@LMC-MAIL2.exempla.org>
	<49345749.6060602@west.net> <EDE2016BBC4E4CE3820E94D6524381EE@GINKGO>
	<82abd3a70812020640i4131bd70lfb087d40282d1e59@mail.gmail.com>
	<49355476.7080808@heanet.ie> <20081202153636.GH8535@greenie.muc.de>
	<20081202173249.GB94540@root.ucsc.edu>
	<47A1B7D9994F4BB3B82C06E887951124@GINKGO>
Message-ID: <9e246b4d0812030623t4b3a53f8rf21c216b9e50d968@mail.gmail.com>

On Wed, Dec 3, 2008 at 9:14 AM, Adam Greene <maillist at webjogger.net> wrote:
> Thanks for helping me brush up on basic networking! :)
>
> Under what circumstances would directed broadcast actually be a useful
> feature?

Wake-on-LAN. That's the only reason we permit directed-broadcasts.

Tim:>

From chris at k7sle.com  Wed Dec  3 09:54:35 2008
From: chris at k7sle.com (Chris Gauthier)
Date: Wed, 03 Dec 2008 06:54:35 -0800
Subject: [c-nsp] security
In-Reply-To: <9e246b4d0812030623t4b3a53f8rf21c216b9e50d968@mail.gmail.com>
References: <513746.70502.qm@web57414.mail.re1.yahoo.com>	<4288131ED5E3024C9CD4782CECCAD2C7037AFA84@LMC-MAIL2.exempla.org>	<49345749.6060602@west.net>
	<EDE2016BBC4E4CE3820E94D6524381EE@GINKGO>	<82abd3a70812020640i4131bd70lfb087d40282d1e59@mail.gmail.com>	<49355476.7080808@heanet.ie>
	<20081202153636.GH8535@greenie.muc.de>	<20081202173249.GB94540@root.ucsc.edu>	<47A1B7D9994F4BB3B82C06E887951124@GINKGO>
	<9e246b4d0812030623t4b3a53f8rf21c216b9e50d968@mail.gmail.com>
Message-ID: <49369DAB.1060908@k7sle.com>

1.  Thanks for the awesome explanations.  I've been dealing with these 
terms for a while, but had not really grasped them too hard until now.  
(To be honest, I had not looked them up in a while either.)

2.  When would a directed broadcast be useful?  Not only for WOL, but 
for some disk imaging software (e.g. Symantec Ghost), directed 
broadcasts is a way of pushing an image to multiple clients 
simultaneously.  Ghost specifically offers the choice of multicast, 
directed broadcast, and unicast delpoyment via radio buttons on the 
options page before a "ghostcasting" session is started.

Chris G.


Tim Durack wrote:
> On Wed, Dec 3, 2008 at 9:14 AM, Adam Greene <maillist at webjogger.net> wrote:
>   
>> Thanks for helping me brush up on basic networking! :)
>>
>> Under what circumstances would directed broadcast actually be a useful
>> feature?
>>     
>
> Wake-on-LAN. That's the only reason we permit directed-broadcasts.
>
> Tim:>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   

From gert at greenie.muc.de  Wed Dec  3 11:06:21 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 3 Dec 2008 17:06:21 +0100
Subject: [c-nsp] New IPv6 BGP peer on a pure IPv4 network
In-Reply-To: <49357AD2.6040408@he.net>
References: <49357AD2.6040408@he.net>
Message-ID: <20081203160621.GP8535@greenie.muc.de>

Hi,

On Tue, Dec 02, 2008 at 10:13:38AM -0800, Mike Leber wrote:
> Once you have IPv6 connectivity established (either native IPv6 or via a
> tunnel from anybody) if you want a self teaching procedural guide where
> you can setup and test various IPv6 services (HTTP, SMTP, reverse DNS,
> forward DNS, host record glue) then you might checkout our free IPv6
> certification service at:
> 
> http://ipv6.he.net/certification

This is great fun - *and* it's a good help in making sure that your IPv6
services (web, mail) are working and are reachable from the world.

I just did this, and liked it a lot :-) - thanks, Mike!

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081203/dd9cc84f/attachment.bin>

From cisco-nsp at natecarlson.com  Wed Dec  3 12:26:15 2008
From: cisco-nsp at natecarlson.com (Nate Carlson)
Date: Wed, 3 Dec 2008 11:26:15 -0600 (CST)
Subject: [c-nsp] 6500 TCAM overflows; certain hosts unreachable?
Message-ID: <alpine.DEB.1.10.0812031110190.12039@iron.msp.technicality.org>

We're having some really odd issues with a pair of 6500's. We know that 
our TCAM table is overflowed, but it's worked fine up until now (new pair 
of SUP720-10GE's on order, but not here yet, of course.)

Here's the TCAM errors we are getting, which are pretty typical:

Dec  3 10:29:18: %MLSCEF-SP-7-FIB_EXCEPTION: FIB TCAM exception, Some entries will be software switched
Dec  3 10:31:49: %MLSCEF-SP-7-FIB_EXCEPTION: FIB TCAM exception, Some entries will be software switched
Dec  3 10:38:10: %MLSCEF-SP-7-FIB_EXCEPTION: FIB TCAM exception, Some entries will be software switched

Our CPU load looks ok:

cat2:
CPU utilization for five seconds: 3%/1%; one minute: 6%; five minutes: 7%
  PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
  177   1033718361003824268        102  0.90%  0.44%  0.39%   0 Port manager per
   86    20705308 326963504         63  0.32%  0.09%  0.08%   0 IP Input
    3          52       149        348  0.32%  0.03%  0.00%   1 Virtual Exec
   68     4432208   3722355       1190  0.08%  0.03%  0.01%   0 esw_vlan_stat_pr
  105     2177564   4944501        440  0.08%  0.01%  0.00%   0 IP RIB Update
    5   160343340   8258274      19416  0.00%  0.82%  0.90%   0 Check heaps

cat1:
CPU utilization for five seconds: 0%/0%; one minute: 6%; five minutes: 7%
  PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
   15    98375448 466005765        211  0.32%  0.58%  0.58%   0 ARP Input
    3          24       123        195  0.16%  0.01%  0.00%   1 Virtual Exec
  105     1696000   4795797        353  0.08%  0.01%  0.00%   0 IP RIB Update
    1           0       124          0  0.00%  0.00%  0.00%   0 Chunk Manager
    2       11072   3505348          3  0.00%  0.00%  0.00%   0 Load Meter
    4           0         2          0  0.00%  0.00%  0.00%   0 IpSecMibTopN
    5   161516388   8266617      19538  0.00%  1.04%  0.98%   0 Check heaps

We have meshed BGP between these two 6500's and a pair of 7200's, one with 
a NPE-G1 and one with a NPE-G2. The ISP connections are on the 7200's, and 
we have the routes coming back to the 6500's via iBGP.

These problems all started early this morning, when we swapped the NPE-G1 
for a NPE-G2. After that, we started having intermittent connectivity 
issues to various IP's on the internet. When we saw those issues, we 
swapped the G1 back in, with the same config (verified via Rancid.)

>From our hosts connected to the 6500's, some remote IP's work fine, IE 
(mtr report):

$ mtr --report 216.250.164.1
HOST: nagios                      Loss%   Snt   Last   Avg  Best  Wrst StDev
   1. x.x.207.14                    0.0%    10  108.6  11.4   0.3 108.6  34.2
   2. x.x..207.229                  0.0%    10    1.2   0.7   0.4   1.2   0.3
   3. 207-250-239-5.static.twtelec  0.0%    10   79.7  33.6   0.9 103.9  44.0
   4. peer-02-so-0-0-0-0.chcg.twte  0.0%    10   12.2  12.7  11.6  19.1   2.3
   5. min-edge-12.inet.qwest.net    0.0%    10   11.7  11.5  11.2  12.1   0.3
   6. 67.130.18.94                  0.0%    10   13.2  12.3  11.9  13.2   0.4
   7. c4500-1.bdr.mpls.iphouse.net  0.0%    10   12.6  13.3  12.3  18.9   2.0
   8. c2801-1-uplink.msp.technical  0.0%    10   14.1  12.9  12.0  14.1   0.6
   9. oxygen.msp.technicality.org   0.0%    10   12.6  12.8  12.1  14.1   0.6

Other remote IP's, we lose packets at the first .14 hop (which is the 
6509):

$ mtr --report 67.135.105.97
HOST: nagios                      Loss%   Snt   Last   Avg  Best  Wrst StDev
   1. x.x.207.14                   40.0%    10    0.2  12.9   0.2  74.3 30.1
   2. ???                          100.0    10    0.0   0.0   0.0   0.0 0.0
   3. min-edge-10.inet.qwest.net   80.0%    10    0.9   1.2   0.9   1.6 0.5
   4. min-core-01.inet.qwest.net   90.0%    10    1.3   1.3   1.3   1.3 0.0
   5. ???                          100.0    10    0.0   0.0   0.0   0.0 0.0
   6. 205.171.139.30               70.0%    10   11.1  11.2  11.0  11.5 0.2

Of course, all the people reporting connectivity issues to us are on IP's 
like this where the first hop goes bad.

Now, the real odd part, is that from the same 6509, coming from the .14 
address, I can hit those IP's without any issues:

-- start of output --
511-cat1>#ping
Protocol [ip]:
Target IP address: 67.135.105.97
Repeat count [5]: 50
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 66.187.207.14
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 50, 100-byte ICMP Echos to 67.135.105.97, timeout is 2 seconds:
Packet sent with a source address of 66.187.207.14
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (50/50), round-trip min/avg/max = 8/10/12 ms
-- end of output --

Are these the type of issues expected with TCAM overflows? It seems odd to 
me that our CPU utilization would be low, but we'd be having these, unless 
'sh proc cpu' isn't the right place to look for that?

Appreciate any thoughts. If we can definitively say that TCAM is the 
issue, we'll filter our BGP routes (get rid of the /24's).. my 
understanding is that to get hardware-switched routes again, though, we'd 
have to reboot the 6500 - is that also correct?

Thanks much!

-Nate

From john at vanoppen.com  Wed Dec  3 13:12:50 2008
From: john at vanoppen.com (John van Oppen)
Date: Wed, 3 Dec 2008 10:12:50 -0800
Subject: [c-nsp] 6500 TCAM overflows; certain hosts unreachable?
References: <alpine.DEB.1.10.0812031110190.12039@iron.msp.technicality.org>
Message-ID: <DB9EA494D2E5614D842C2BC65C2D172265F993@mail-ww.vanoppen.com>

Do you have a reason you can't do a partial BGP feed with a default
route between the 7200s and the 6500s to lower the table size?    

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nate Carlson
Sent: Wednesday, December 03, 2008 9:26 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] 6500 TCAM overflows; certain hosts unreachable?

We're having some really odd issues with a pair of 6500's. We know that 
our TCAM table is overflowed, but it's worked fine up until now (new
pair 
of SUP720-10GE's on order, but not here yet, of course.)

Here's the TCAM errors we are getting, which are pretty typical:

Dec  3 10:29:18: %MLSCEF-SP-7-FIB_EXCEPTION: FIB TCAM exception, Some
entries will be software switched
Dec  3 10:31:49: %MLSCEF-SP-7-FIB_EXCEPTION: FIB TCAM exception, Some
entries will be software switched
Dec  3 10:38:10: %MLSCEF-SP-7-FIB_EXCEPTION: FIB TCAM exception, Some
entries will be software switched

Our CPU load looks ok:

cat2:
CPU utilization for five seconds: 3%/1%; one minute: 6%; five minutes:
7%
  PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
  177   1033718361003824268        102  0.90%  0.44%  0.39%   0 Port
manager per
   86    20705308 326963504         63  0.32%  0.09%  0.08%   0 IP Input
    3          52       149        348  0.32%  0.03%  0.00%   1 Virtual
Exec
   68     4432208   3722355       1190  0.08%  0.03%  0.01%   0
esw_vlan_stat_pr
  105     2177564   4944501        440  0.08%  0.01%  0.00%   0 IP RIB
Update
    5   160343340   8258274      19416  0.00%  0.82%  0.90%   0 Check
heaps

cat1:
CPU utilization for five seconds: 0%/0%; one minute: 6%; five minutes:
7%
  PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
   15    98375448 466005765        211  0.32%  0.58%  0.58%   0 ARP
Input
    3          24       123        195  0.16%  0.01%  0.00%   1 Virtual
Exec
  105     1696000   4795797        353  0.08%  0.01%  0.00%   0 IP RIB
Update
    1           0       124          0  0.00%  0.00%  0.00%   0 Chunk
Manager
    2       11072   3505348          3  0.00%  0.00%  0.00%   0 Load
Meter
    4           0         2          0  0.00%  0.00%  0.00%   0
IpSecMibTopN
    5   161516388   8266617      19538  0.00%  1.04%  0.98%   0 Check
heaps

We have meshed BGP between these two 6500's and a pair of 7200's, one
with 
a NPE-G1 and one with a NPE-G2. The ISP connections are on the 7200's,
and 
we have the routes coming back to the 6500's via iBGP.

These problems all started early this morning, when we swapped the
NPE-G1 
for a NPE-G2. After that, we started having intermittent connectivity 
issues to various IP's on the internet. When we saw those issues, we 
swapped the G1 back in, with the same config (verified via Rancid.)

>From our hosts connected to the 6500's, some remote IP's work fine, IE 
(mtr report):

$ mtr --report 216.250.164.1
HOST: nagios                      Loss%   Snt   Last   Avg  Best  Wrst
StDev
   1. x.x.207.14                    0.0%    10  108.6  11.4   0.3 108.6
34.2
   2. x.x..207.229                  0.0%    10    1.2   0.7   0.4   1.2
0.3
   3. 207-250-239-5.static.twtelec  0.0%    10   79.7  33.6   0.9 103.9
44.0
   4. peer-02-so-0-0-0-0.chcg.twte  0.0%    10   12.2  12.7  11.6  19.1
2.3
   5. min-edge-12.inet.qwest.net    0.0%    10   11.7  11.5  11.2  12.1
0.3
   6. 67.130.18.94                  0.0%    10   13.2  12.3  11.9  13.2
0.4
   7. c4500-1.bdr.mpls.iphouse.net  0.0%    10   12.6  13.3  12.3  18.9
2.0
   8. c2801-1-uplink.msp.technical  0.0%    10   14.1  12.9  12.0  14.1
0.6
   9. oxygen.msp.technicality.org   0.0%    10   12.6  12.8  12.1  14.1
0.6

Other remote IP's, we lose packets at the first .14 hop (which is the 
6509):

$ mtr --report 67.135.105.97
HOST: nagios                      Loss%   Snt   Last   Avg  Best  Wrst
StDev
   1. x.x.207.14                   40.0%    10    0.2  12.9   0.2  74.3
30.1
   2. ???                          100.0    10    0.0   0.0   0.0   0.0
0.0
   3. min-edge-10.inet.qwest.net   80.0%    10    0.9   1.2   0.9   1.6
0.5
   4. min-core-01.inet.qwest.net   90.0%    10    1.3   1.3   1.3   1.3
0.0
   5. ???                          100.0    10    0.0   0.0   0.0   0.0
0.0
   6. 205.171.139.30               70.0%    10   11.1  11.2  11.0  11.5
0.2

Of course, all the people reporting connectivity issues to us are on
IP's 
like this where the first hop goes bad.

Now, the real odd part, is that from the same 6509, coming from the .14 
address, I can hit those IP's without any issues:

-- start of output --
511-cat1>#ping
Protocol [ip]:
Target IP address: 67.135.105.97
Repeat count [5]: 50
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 66.187.207.14
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 50, 100-byte ICMP Echos to 67.135.105.97, timeout is 2 seconds:
Packet sent with a source address of 66.187.207.14
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (50/50), round-trip min/avg/max = 8/10/12 ms
-- end of output --

Are these the type of issues expected with TCAM overflows? It seems odd
to 
me that our CPU utilization would be low, but we'd be having these,
unless 
'sh proc cpu' isn't the right place to look for that?

Appreciate any thoughts. If we can definitively say that TCAM is the 
issue, we'll filter our BGP routes (get rid of the /24's).. my 
understanding is that to get hardware-switched routes again, though,
we'd 
have to reboot the 6500 - is that also correct?

Thanks much!

-Nate
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From cisco-nsp at natecarlson.com  Wed Dec  3 13:25:13 2008
From: cisco-nsp at natecarlson.com (Nate Carlson)
Date: Wed, 3 Dec 2008 12:25:13 -0600 (CST)
Subject: [c-nsp] 6500 TCAM overflows; certain hosts unreachable?
In-Reply-To: <DB9EA494D2E5614D842C2BC65C2D172265F993@mail-ww.vanoppen.com>
References: <alpine.DEB.1.10.0812031110190.12039@iron.msp.technicality.org>
	<DB9EA494D2E5614D842C2BC65C2D172265F993@mail-ww.vanoppen.com>
Message-ID: <alpine.DEB.1.10.0812031215140.12039@iron.msp.technicality.org>

On Wed, 3 Dec 2008, John van Oppen wrote:
> Do you have a reason you can't do a partial BGP feed with a default 
> route between the 7200s and the 6500s to lower the table size?

We're debating that.. I'm not the guy who designed this, but that's the 
long-term goal.  ;)

Right now, we're filtering /24's to get by temporarily (with default 
routes to cover), which after doing a 'clear ip route' on the Cat's, gave 
us:

Dec  3 11:49:02: %MLSCEF-SP-7-END_FIB_EXCEPTION: FIB TCAM exception cleared, all CEF entries will be hardware switched

..and the problem cleared up.

We'll be looking at re-architecting some of this shortly, but this should 
get us by for now.

Thanks for the replies!

-Nate

From ryan at deadfrog.net  Wed Dec  3 13:33:45 2008
From: ryan at deadfrog.net (Ryan Wilkins)
Date: Wed, 3 Dec 2008 12:33:45 -0600
Subject: [c-nsp] Cisco VPN Client Causes Mac OS X Crash
In-Reply-To: <200812031357.24415.mtinka@globaltransit.net>
References: <200812031357.24415.mtinka@globaltransit.net>
Message-ID: <74004B98-AADE-442B-9A1E-436CFA4C58B5@deadfrog.net>

Negative.  I've used several versions on Mac OS X 10.4 and 10.5  
without issue.  I've only used it on a MacBook Pro.

Regards,

Ryan

On Dec 2, 2008, at 11:57 PM, Mark Tinka wrote:

> Probably a little off-topic for this list, but wondering if
> anyone else is registering random but frequent crashes
> and/or lock-ups of Mac OS X 10.5.5 when using Cisco VPN
> Client 4.9.01 (0100).
>
> Cheers,
>
> Mark.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From Moens at carrier2carrier.com  Wed Dec  3 14:40:03 2008
From: Moens at carrier2carrier.com (Martin Moens)
Date: Wed, 3 Dec 2008 20:40:03 +0100
Subject: [c-nsp] 6500 TCAM overflows; certain hosts unreachable?
In-Reply-To: <alpine.DEB.1.10.0812031110190.12039@iron.msp.technicality.org>
Message-ID: <42F0C766A9A8DB47B5E86CA64738DC8B01905D1F@bilbo.bdhz.c2c.local>

Nate Carlson <> wrote:
> We're having some really odd issues with a pair of 6500's. We know
> that 
> our TCAM table is overflowed, but it's worked fine up until now (new
> pair 
> of SUP720-10GE's on order, but not here yet, of course.)
> 
> Here's the TCAM errors we are getting, which are pretty typical:
> 
> Dec  3 10:29:18: %MLSCEF-SP-7-FIB_EXCEPTION: FIB TCAM exception, Some
> entries will be software switched Dec  3 10:31:49:
> %MLSCEF-SP-7-FIB_EXCEPTION: FIB TCAM exception, Some entries will be
> software switched Dec  3 10:38:10: %MLSCEF-SP-7-FIB_EXCEPTION: FIB
> TCAM exception, Some entries will be software switched  

I had exactly the same situation with a rsp720-3c 


> for a NPE-G2. After that, we started having intermittent connectivity
> issues to various IP's on the internet. When we saw those issues, we
> swapped the G1 back in, with the same config (verified via Rancid.)
> 
> From our hosts connected to the 6500's, some remote IP's work fine,

Sounds very familiar ;-)

 
> Now, the real odd part, is that from the same 6509, coming from the
> .14 
> address, I can hit those IP's without any issues:

Same here
 
> Are these the type of issues expected with TCAM overflows? It seems
> odd to 
> me that our CPU utilization would be low, but we'd be having these,
> unless 'sh proc cpu' isn't the right place to look for that?

Yes.


> Appreciate any thoughts. If we can definitively say that TCAM is the
> issue, we'll filter our BGP routes (get rid of the /24's).. my
> understanding is that to get hardware-switched routes again, though,
> we'd have to reboot the 6500 - is that also correct?
> 
> Thanks much!
> 
> -Nate

I solved my problem by requesting my upstreams to provide me with a default
route, and only have my IX sessions unfiltered. This brought the number of
routes back to ~60K which was ok after a reboot. 
Beginning this week the 3c was replaced with a 3cxl, everything works again
as it should.
Reboot was really needed btw.

Good luck....

Martin

From achatz at forthnet.gr  Wed Dec  3 14:55:24 2008
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Wed, 03 Dec 2008 21:55:24 +0200
Subject: [c-nsp] destination span rate is lower than source
Message-ID: <4936E42C.6000209@forthnet.gr>

I'm trying to troubleshoot an issue on a 6500/SUP2 and i have noticed that when mirroring a specific port, i'm getting 
less traffic that is actually going out. The source is sending continuously at the same rate and the problem is 
happening all the time.

6500#sh int gi3/24 | i ut rate
   30 second input rate 83000 bits/sec, 137 packets/sec
   30 second output rate 284000 bits/sec, 191 packets/sec

6500#sh int gi3/29 | i ut rate
   30 second input rate 0 bits/sec, 0 packets/sec
   30 second output rate 54000 bits/sec, 85 packets/sec

6500#sh monitor session 13
Session 13
----------
Type              : Local Session
Source Ports      :
     RX Only       : Gi3/24
Destination Ports : Gi3/29

Port Gi3/24 is a trunk port and Gi3/29 is a routed port (i have tried switchport and with trunk too).

I have checked traffic of ports 3/24-3/31 and the total is quite low.

GigabitEthernet3/24 is up, line protocol is up (connected)
   30 second input rate 83000 bits/sec, 138 packets/sec
   30 second output rate 284000 bits/sec, 190 packets/sec
GigabitEthernet3/25 is up, line protocol is up (connected)
   30 second input rate 6000 bits/sec, 6 packets/sec
   30 second output rate 21000 bits/sec, 30 packets/sec
GigabitEthernet3/26 is up, line protocol is up (connected)
   30 second input rate 0 bits/sec, 0 packets/sec
   30 second output rate 0 bits/sec, 0 packets/sec
GigabitEthernet3/27 is up, line protocol is up (connected)
   30 second input rate 0 bits/sec, 0 packets/sec
   30 second output rate 0 bits/sec, 0 packets/sec
GigabitEthernet3/28 is up, line protocol is up (connected)
   5 minute input rate 0 bits/sec, 0 packets/sec
   5 minute output rate 11000 bits/sec, 19 packets/sec
GigabitEthernet3/29 is up, line protocol is down (monitoring)
   30 second input rate 0 bits/sec, 0 packets/sec
   30 second output rate 54000 bits/sec, 86 packets/sec
GigabitEthernet3/30 is up, line protocol is up (connected)
   5 minute input rate 138000 bits/sec, 38 packets/sec
   5 minute output rate 95000 bits/sec, 39 packets/sec
GigabitEthernet3/31 is up, line protocol is down (notconnect)
   5 minute input rate 0 bits/sec, 0 packets/sec
   5 minute output rate 0 bits/sec, 0 packets/sec

module 3 is a WS-X6148-GE-TX, 6500/SUP2 runs 12.1(26)E9 and the cpu load is around 5%.

Is there a case the extra traffic could be dropped somewhere after being counted on the port and before going into span?
Checking for errors didn't return anything too.

-- 
Tassos

From jlewis at lewis.org  Wed Dec  3 16:23:39 2008
From: jlewis at lewis.org (Jon Lewis)
Date: Wed, 3 Dec 2008 16:23:39 -0500 (EST)
Subject: [c-nsp] 6500 TCAM overflows; certain hosts unreachable?
In-Reply-To: <alpine.DEB.1.10.0812031215140.12039@iron.msp.technicality.org>
References: <alpine.DEB.1.10.0812031110190.12039@iron.msp.technicality.org>
	<DB9EA494D2E5614D842C2BC65C2D172265F993@mail-ww.vanoppen.com>
	<alpine.DEB.1.10.0812031215140.12039@iron.msp.technicality.org>
Message-ID: <Pine.LNX.4.61.0812031621470.6312@soloth.lewis.org>

On Wed, 3 Dec 2008, Nate Carlson wrote:

> We're debating that.. I'm not the guy who designed this, but that's the 
> long-term goal.  ;)
>
> Right now, we're filtering /24's to get by temporarily (with default routes 
> to cover), which after doing a 'clear ip route' on the Cat's, gave us:

I assume these are sup2 or something else lower than sup720-3bxl?  And 
you're feeding them full routes...somewhere around 270k routes?  If so, 
I'm kind of surprised it took until now to break.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

From vinny at tellurian.com  Wed Dec  3 18:06:13 2008
From: vinny at tellurian.com (Vinny Abello)
Date: Wed, 3 Dec 2008 18:06:13 -0500
Subject: [c-nsp] Cisco VPN Client Causes Mac OS X Crash
In-Reply-To: <74004B98-AADE-442B-9A1E-436CFA4C58B5@deadfrog.net>
References: <200812031357.24415.mtinka@globaltransit.net>
	<74004B98-AADE-442B-9A1E-436CFA4C58B5@deadfrog.net>
Message-ID: <15CEC87F00BB7B4CA0E904C5FCF056463F07CAAE@EXCHANGENJ1.ds.tellurian.net>

Works great for me on OS X 10.5.5... also on a MBP. No stability problems at all. Now if I could get the VPN client to add the domain suffix to my search order each time I connect, it would be perfect. Has anyone seen that work on OS X?

-Vinny

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Ryan Wilkins
> Sent: Wednesday, December 03, 2008 1:34 PM
> To: mtinka at globaltransit.net
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Cisco VPN Client Causes Mac OS X Crash
> 
> Negative.  I've used several versions on Mac OS X 10.4 and 10.5
> without issue.  I've only used it on a MacBook Pro.
> 
> Regards,
> 
> Ryan
> 
> On Dec 2, 2008, at 11:57 PM, Mark Tinka wrote:
> 
> > Probably a little off-topic for this list, but wondering if
> > anyone else is registering random but frequent crashes
> > and/or lock-ups of Mac OS X 10.5.5 when using Cisco VPN
> > Client 4.9.01 (0100).
> >
> > Cheers,
> >
> > Mark.
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From mtinka at globaltransit.net  Wed Dec  3 21:36:56 2008
From: mtinka at globaltransit.net (Mark Tinka)
Date: Thu, 4 Dec 2008 10:36:56 +0800
Subject: [c-nsp] Cisco VPN Client Causes Mac OS X Crash
In-Reply-To: <15CEC87F00BB7B4CA0E904C5FCF056463F07CAAE@EXCHANGENJ1.ds.tellurian.net>
References: <200812031357.24415.mtinka@globaltransit.net>
	<74004B98-AADE-442B-9A1E-436CFA4C58B5@deadfrog.net>
	<15CEC87F00BB7B4CA0E904C5FCF056463F07CAAE@EXCHANGENJ1.ds.tellurian.net>
Message-ID: <200812041037.02324.mtinka@globaltransit.net>

On Thursday 04 December 2008 07:06:13 Vinny Abello wrote:

> Works great for me on OS X 10.5.5... also on a MBP. No
> stability problems at all.

Each time my laptop freezes up (and needs a hard reset), the 
bug report indicates Cisco VPN Client had something to do 
with it.

It only seems to happen when the client is connected to the 
VPN server, but not, necessarily, when it's merely open and 
unconnected.

There have been a number of reports on this issue (albeit in 
slightly earlier versions of OS X):

http://www.macosxhints.com/article.php?story=20060920100339745

I'm just not sure if these issues have propagated to 10.5.5.

It would be nice if Cisco released newer versions of this 
code as often as they did for other OS's.

> Now if I could get the VPN 
> client to add the domain suffix to my search order each
> time I connect, it would be perfect. Has anyone seen that
> work on OS X?

Works fine for me - we use EasyVPN:

conf t
 crypto isakmp client configuration group foo
  domain bar.com

It automatically gets added to my search list and system 
domain name each time I connect (and removed when I 
disconnect).

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081204/7fdbdde0/attachment.bin>

From vinny at tellurian.com  Wed Dec  3 22:55:52 2008
From: vinny at tellurian.com (Vinny Abello)
Date: Wed, 3 Dec 2008 22:55:52 -0500
Subject: [c-nsp] Cisco VPN Client Causes Mac OS X Crash
In-Reply-To: <200812041037.02324.mtinka@globaltransit.net>
References: <200812031357.24415.mtinka@globaltransit.net>
	<74004B98-AADE-442B-9A1E-436CFA4C58B5@deadfrog.net>
	<15CEC87F00BB7B4CA0E904C5FCF056463F07CAAE@EXCHANGENJ1.ds.tellurian.net>,
	<200812041037.02324.mtinka@globaltransit.net>
Message-ID: <15CEC87F00BB7B4CA0E904C5FCF056463F0DAF00@EXCHANGENJ1.ds.tellurian.net>

My laptop never freezes and I'll be connected with the VPN client the entire day sometimes. I'm running 4.9.01(0100) with OS X 10.5.5. I've used previous versions with OS X 10.4.10 and 10.4.11 along with 10.5 through 10.5.5 and never experienced any lockups with the Cisco VPN client. Do you have any other type of software like Parallels or VMWare Fusion installed? I think I've heard of some odd conflicts with similar programs. I've tried the trials and never saw anything, but don't have them installed on my MBP currently. Maybe it's a combination of network driver in OS X and the Cisco VPN client. I'm always using the Airport Extreme (en1 in my system). I also run IPv6, but I doubt that has any bearing on it.

Regarding the domain search list, I think I overlooked something very simple. It does indeed add it to my domain and search list in /etc/resolv.conf... what I was overlooking is I usually connect to FreeBSD machines that don't exist in the same search suffix where I modified my workstation to include this suffix. Nevermind on that. I'll have to add another domain if I can. It's on an old VPN 3002 concentrator.

-Vinny
________________________________________
From: Mark Tinka [mtinka at globaltransit.net]
Sent: Wednesday, December 03, 2008 9:36 PM
To: Vinny Abello
Cc: Ryan Wilkins; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco VPN Client Causes Mac OS X Crash

On Thursday 04 December 2008 07:06:13 Vinny Abello wrote:

> Works great for me on OS X 10.5.5... also on a MBP. No
> stability problems at all.

Each time my laptop freezes up (and needs a hard reset), the
bug report indicates Cisco VPN Client had something to do
with it.

It only seems to happen when the client is connected to the
VPN server, but not, necessarily, when it's merely open and
unconnected.

There have been a number of reports on this issue (albeit in
slightly earlier versions of OS X):

http://www.macosxhints.com/article.php?story=20060920100339745

I'm just not sure if these issues have propagated to 10.5.5.

It would be nice if Cisco released newer versions of this
code as often as they did for other OS's.

> Now if I could get the VPN
> client to add the domain suffix to my search order each
> time I connect, it would be perfect. Has anyone seen that
> work on OS X?

Works fine for me - we use EasyVPN:

conf t
 crypto isakmp client configuration group foo
  domain bar.com

It automatically gets added to my search list and system
domain name each time I connect (and removed when I
disconnect).

Cheers,

Mark.

From tstevens at cisco.com  Thu Dec  4 00:14:21 2008
From: tstevens at cisco.com (Tim Stevenson)
Date: Wed, 03 Dec 2008 21:14:21 -0800
Subject: [c-nsp] Nexus 7000 fiber 1GBit linecard.
In-Reply-To: <20081202162147.GA73785@bts.sk>
References: <200811111449.mABEnfOu030925@racing2.mecon.ar>
	<EAF085CF5B344B42A8551A4482C1ED591013B1F1@RCTR010.tivit.corp>
	<200812011753.mB1Hrf1c005254@racing2.mecon.ar>
	<20081202162147.GA73785@bts.sk>
Message-ID: <XFE-SJC-2121l44HaV4000063a8@xfe-sjc-212.amer.cisco.com>

DOM is supported with appropriate SFP models (ie, 
those that are DOM capable, such as SFP-GE-S, -L, -Z).

Tim

At 08:21 AM 12/2/2008, Marian ??urkovi?? murmered:
>On Mon, Dec 01, 2008 at 02:53:41PM -0300, Juan Angel Menendez wrote:
> >
> >
> >         It's already here:  N7K-M148GS-11 Nexus
> > 7000 Series 48-Port Gigabit Ethernet Module (SFP) with 40 Gbps Fabric
> >
> > 
> http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/ps9512/Data_Sheet_C78-437763.html
>
>Hmm, this datasheet shows Time Domain Reflectometry support on 48-port
>copper module, but no Digital Optical Monitoring support on fiber module.
>So again, fiber connections have less layer-1 monitoring capabilities than
>the copper ones...
>
>Is this just a temporary limitation of the initial NX-OS release,
>or do these SFP cards suffer from the same problems as the 6748-SFP
>cards for Cat6500 where DOM still doesn't work?
>
>
>     Thanks & kind regards,
>
>           M.
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/



Tim Stevenson, tstevens at cisco.com
Routing & Switching CCIE #5561
Technical Marketing Engineer, Cisco Nexus 7000
Cisco Systems, http://www.cisco.com
IP Phone: 408-526-6759
********************************************************
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.


From vinny at tellurian.com  Thu Dec  4 01:44:15 2008
From: vinny at tellurian.com (Vinny Abello)
Date: Thu, 4 Dec 2008 01:44:15 -0500
Subject: [c-nsp] security
In-Reply-To: <49369DAB.1060908@k7sle.com>
References: <513746.70502.qm@web57414.mail.re1.yahoo.com>
	<4288131ED5E3024C9CD4782CECCAD2C7037AFA84@LMC-MAIL2.exempla.org>
	<49345749.6060602@west.net>	<EDE2016BBC4E4CE3820E94D6524381EE@GINKGO>
	<82abd3a70812020640i4131bd70lfb087d40282d1e59@mail.gmail.com>
	<49355476.7080808@heanet.ie>	<20081202153636.GH8535@greenie.muc.de>
	<20081202173249.GB94540@root.ucsc.edu>
	<47A1B7D9994F4BB3B82C06E887951124@GINKGO>
	<9e246b4d0812030623t4b3a53f8rf21c216b9e50d968@mail.gmail.com>
	<49369DAB.1060908@k7sle.com>
Message-ID: <15CEC87F00BB7B4CA0E904C5FCF056463F07CAC3@EXCHANGENJ1.ds.tellurian.net>

I've also seen directed broadcast needed for remote management of some thin client platforms across subnets.

-Vinny

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Chris Gauthier
> Sent: Wednesday, December 03, 2008 9:55 AM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] security
> 
> 1.  Thanks for the awesome explanations.  I've been dealing with these
> terms for a while, but had not really grasped them too hard until now.
> (To be honest, I had not looked them up in a while either.)
> 
> 2.  When would a directed broadcast be useful?  Not only for WOL, but
> for some disk imaging software (e.g. Symantec Ghost), directed
> broadcasts is a way of pushing an image to multiple clients
> simultaneously.  Ghost specifically offers the choice of multicast,
> directed broadcast, and unicast delpoyment via radio buttons on the
> options page before a "ghostcasting" session is started.
> 
> Chris G.
> 
> 
> Tim Durack wrote:
> > On Wed, Dec 3, 2008 at 9:14 AM, Adam Greene <maillist at webjogger.net>
> wrote:
> >
> >> Thanks for helping me brush up on basic networking! :)
> >>
> >> Under what circumstances would directed broadcast actually be a
> useful
> >> feature?
> >>
> >
> > Wake-on-LAN. That's the only reason we permit directed-broadcasts.
> >
> > Tim:>
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From mm at math.pub.ro  Thu Dec  4 02:29:44 2008
From: mm at math.pub.ro (mm-tech)
Date: Thu, 4 Dec 2008 09:29:44 +0200 (EET)
Subject: [c-nsp] bgp weird issue
In-Reply-To: <3176.79.118.191.161.1228120451.squirrel@ssl.math.pub.ro>
References: <C55875A9.33533%mksmith@adhost.com>
	<3176.79.118.191.161.1228120451.squirrel@ssl.math.pub.ro>
Message-ID: <4356.86.121.173.196.1228375784.squirrel@ssl.math.pub.ro>

Hi guys,

I've finally solved out the mystery with that /29 subnet being blocked
after the iBGP relationship came up.
It was because of the "ip verify unicast reverse-path" option enabled on
Router1 on the interfaces connecting the router to the ISPA.
I had this option enabled to prevent ip spoofing, but it seems that it
affects in a negative way iBGP, BGP being a unicast protocol.

Thanks,
john

>> Hello John:
>>
>>
>> On 11/30/08 10:32 AM, "mm-tech" <mm at math.pub.ro> wrote:
>>
>> <snip>
>>
>>> The issue is after I configure the iBGP relationship between Router1
>>> and
>>> Router2: connectivity to the 62.217.X.X/29 subnet on Router1 is lost.
>>> It
>>> cannot be pinged anymore from outside. The 91.195.X.X/23 is announced
>>> correctly through both ISPs and any IP in this /23 subnet is pingable
>>> from
>>> outside. They only problem is with the 62.217.X.X/29 block that becomes
>>> unreachable after configuring the iBGP relationship and I don't
>>> understand
>>> why this is happening.
>>>
>>> Sorry for the long post and I hope you'll give me some hints -:)
>>>
>>> Thanks,
>>> John
>>>
>>
>> How is the /29 configured on router 1?  If it's being statically routed
>> from
>> your ISP, then you need to have it in your IGP somehow.  Something
>> simple
>> would be:
>>
>> Interface x/x
>> Ip address 62.217.x.x 255.255.255.248
>>
>> Router ospf 10
>> Redistribute connected subnets
>>
>> More information is needed, I'm afraid.
>>
>> Regards,
>>
>> Mike
>>
>>
> Yes, the /29 subnet is configured on Router1 on a SVI interface. I haven't
> tried to put this /29 into my IGP. I'll try that and I'll let you know
> guys.
>
> Iy you need more info, please let me know...
>
> Thanks,
> john
>
>



From blahu77 at gmail.com  Thu Dec  4 03:28:29 2008
From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=)
Date: Thu, 4 Dec 2008 08:28:29 +0000
Subject: [c-nsp] bgp weird issue
In-Reply-To: <4356.86.121.173.196.1228375784.squirrel@ssl.math.pub.ro>
References: <C55875A9.33533%mksmith@adhost.com>
	<3176.79.118.191.161.1228120451.squirrel@ssl.math.pub.ro>
	<4356.86.121.173.196.1228375784.squirrel@ssl.math.pub.ro>
Message-ID: <383357750812040028o2c234f79ve305ee90ef9fd278@mail.gmail.com>

> I've finally solved out the mystery with that /29 subnet being blocked
> after the iBGP relationship came up.
> It was because of the "ip verify unicast reverse-path" option enabled on
> Router1 on the interfaces connecting the router to the ISPA.
> I had this option enabled to prevent ip spoofing, but it seems that it
> affects in a negative way iBGP, BGP being a unicast protocol.


you can still use it with the new command "ip verify unicast source
reachable-via _any_"
which will allow rpf traffic as long as the router has the route to
the destination via ANY interfaces.
I.e. you have to make sure that the other router is aware of the /29
in question.


Best Regards,

-mat
-- 
pgp-key 0x1C655CAB

From mtinka at globaltransit.net  Thu Dec  4 02:27:12 2008
From: mtinka at globaltransit.net (Mark Tinka)
Date: Thu, 4 Dec 2008 15:27:12 +0800
Subject: [c-nsp] Cisco VPN Client Causes Mac OS X Crash
In-Reply-To: <15CEC87F00BB7B4CA0E904C5FCF056463F0DAF00@EXCHANGENJ1.ds.tellurian.net>
References: <200812031357.24415.mtinka@globaltransit.net>
	<200812041037.02324.mtinka@globaltransit.net>
	<15CEC87F00BB7B4CA0E904C5FCF056463F0DAF00@EXCHANGENJ1.ds.tellurian.net>
Message-ID: <200812041527.12792.mtinka@globaltransit.net>

On Thursday 04 December 2008 11:55:52 Vinny Abello wrote:

> My laptop never freezes and I'll be connected with the
> VPN client the entire day sometimes.

It's random... sometimes I'll go for days to weeks on end (I 
hibernate more often than I shutdown) without incident, and 
then out of the blue (or rather, grey, in OS X's case), 
bam!

It occurs more frequently when I'm on the road, naturally, 
because then I'm connected to our VPN network most of the 
time.

> Do you have any other type of software
> like Parallels or VMWare Fusion installed?

I run Linux in VMware Fusion (Maildir-capable MUA's in OS X 
suck, but that's another story).

I'll grab a snapshot of the bug report the next time it 
happens. I've submitted them to Apple each time, but not 
sure whether there is a body attending to them.

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081204/b6e6270f/attachment-0001.bin>

From blahu77 at gmail.com  Thu Dec  4 05:26:19 2008
From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=)
Date: Thu, 4 Dec 2008 10:26:19 +0000
Subject: [c-nsp] bgp weird issue
In-Reply-To: <200812041816.06827.mtinka@globaltransit.net>
References: <C55875A9.33533%mksmith@adhost.com>
	<4356.86.121.173.196.1228375784.squirrel@ssl.math.pub.ro>
	<383357750812040028o2c234f79ve305ee90ef9fd278@mail.gmail.com>
	<200812041816.06827.mtinka@globaltransit.net>
Message-ID: <383357750812040226o6bcee593r754dd77d5a1ae279@mail.gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>> you can still use it with the new command "ip verify
>> unicast source reachable-via _any_"
>> which will allow rpf traffic as long as the router has
>> the route to the destination...
>
> You mean the source, right :-).

mhm, you get easily confused there :-)
Thanks for pointing that out.

- --
pgp-key 0x1C655CAB


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJN7BK+BuaDRxlXKsRAqjNAJ9zsOcFRNgB5JYA4hKBO4n79IA2ugCfUB7h
RrMiR8W5C8bgMX2winawofE=
=24tn
-----END PGP SIGNATURE-----

From mtinka at globaltransit.net  Thu Dec  4 05:16:06 2008
From: mtinka at globaltransit.net (Mark Tinka)
Date: Thu, 4 Dec 2008 18:16:06 +0800
Subject: [c-nsp] bgp weird issue
In-Reply-To: <383357750812040028o2c234f79ve305ee90ef9fd278@mail.gmail.com>
References: <C55875A9.33533%mksmith@adhost.com>
	<4356.86.121.173.196.1228375784.squirrel@ssl.math.pub.ro>
	<383357750812040028o2c234f79ve305ee90ef9fd278@mail.gmail.com>
Message-ID: <200812041816.06827.mtinka@globaltransit.net>

On Thursday 04 December 2008 16:28:29 Mateusz B?aszczyk 
wrote:

> you can still use it with the new command "ip verify
> unicast source reachable-via _any_"
> which will allow rpf traffic as long as the router has
> the route to the destination...

You mean the source, right :-).

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081204/7d530a1c/attachment.bin>

From erik at infopact.nl  Thu Dec  4 06:03:52 2008
From: erik at infopact.nl (E. Versaevel)
Date: Thu, 04 Dec 2008 12:03:52 +0100
Subject: [c-nsp] 7602VXR NPE-G1
Message-ID: <4937B918.80707@infopact.nl>

Hello,

I've got a 7206VXR with NPE-G1 configured for PPPoA termination, we recieve the VC's over an STM-1 and terminate them into various vrf's (for VPN) or
into the global routing table (for internet).
We are currently experiencing high cpu load (>80%) and some slow CLI access. We have about 2500 sessions on the box using up to 120 Mbit @ 30k packets/s

CPU utilization for five seconds: 80%/58%; one minute: 84%; five minutes: 77%
 PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
  78   443181316-1276820381          0  6.12%  5.32%  4.89%   0 IP Input
 247   449268424 641021686        700  2.86%  3.35%  3.41%   0 PPP Events

Any idea on how we could debug the CPU usage ?

We've got another 7200 doing only routing an that never tops 15% CPU usage...

Kind regards,

Erik Versaevel

From erik at infopact.nl  Thu Dec  4 06:41:48 2008
From: erik at infopact.nl (E. Versaevel)
Date: Thu, 04 Dec 2008 12:41:48 +0100
Subject: [c-nsp] 7602VXR NPE-G1
In-Reply-To: <4937B918.80707@infopact.nl>
References: <4937B918.80707@infopact.nl>
Message-ID: <4937C1FC.7030407@infopact.nl>


I've also been looking into the ASR 1000 series as a replacement/expansion.
However it doesn't seem to support PPPoA, that's one major show stopper for us.

From markom at markom.info  Thu Dec  4 06:43:13 2008
From: markom at markom.info (Marko Milivojevic)
Date: Thu, 4 Dec 2008 11:43:13 +0000
Subject: [c-nsp] 7602VXR NPE-G1
In-Reply-To: <4937B918.80707@infopact.nl>
References: <4937B918.80707@infopact.nl>
Message-ID: <1fb747910812040343i31be83f6gd8110f080dd060c2@mail.gmail.com>

On Thu, Dec 4, 2008 at 11:03, E. Versaevel <erik at infopact.nl> wrote:
> Hello,
>
> I've got a 7206VXR with NPE-G1 configured for PPPoA termination, we recieve the VC's over an STM-1 and terminate them into various vrf's (for VPN) or
> into the global routing table (for internet).
> We are currently experiencing high cpu load (>80%) and some slow CLI access. We have about 2500 sessions on the box using up to 120 Mbit @ 30k packets/s

>From personal experience, what you are seeing are the limits of G1 in
that role. You can "fix" slow CLI by toying around with "scheduler
allocate", but performance-wise that's about it...

--
Marko
CCIE #18427 (SP)
My network blog: http://cisco.markom.info/

From gulerozgur at yahoo.co.uk  Thu Dec  4 06:51:48 2008
From: gulerozgur at yahoo.co.uk (Ozgur Guler)
Date: Thu, 4 Dec 2008 11:51:48 +0000 (GMT)
Subject: [c-nsp] 7602VXR NPE-G1
In-Reply-To: <4937B918.80707@infopact.nl>
Message-ID: <947124.28222.qm@web25503.mail.ukl.yahoo.com>


Best is to check and see if any of the interfaces has high drop/throttle count. 
Then try to see the packets causing the interrupts with show buffer input-interface x/y header|dump.



--- On Thu, 4/12/08, E. Versaevel <erik at infopact.nl> wrote:
From: E. Versaevel <erik at infopact.nl>
Subject: [c-nsp] 7602VXR NPE-G1
To: cisco-nsp at puck.nether.net
Date: Thursday, 4 December, 2008, 11:03 AM

Hello,

I've got a 7206VXR with NPE-G1 configured for PPPoA termination, we recieve
the VC's over an STM-1 and terminate them into various vrf's (for VPN)
or
into the global routing table (for internet).
We are currently experiencing high cpu load (>80%) and some slow CLI access.
We have about 2500 sessions on the box using up to 120 Mbit @ 30k packets/s

CPU utilization for five seconds: 80%/58%; one minute: 84%; five minutes: 77%
 PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
  78   443181316-1276820381          0  6.12%  5.32%  4.89%   0 IP Input
 247   449268424 641021686        700  2.86%  3.35%  3.41%   0 PPP Events

Any idea on how we could debug the CPU usage ?

We've got another 7200 doing only routing an that never tops 15% CPU
usage...

Kind regards,

Erik Versaevel
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



      

From kharananda at subisu.net.np  Thu Dec  4 07:09:09 2008
From: kharananda at subisu.net.np (kharananda)
Date: Thu, 04 Dec 2008 17:54:09 +0545
Subject: [c-nsp] VPLS Redundency configuration help
Message-ID: <4937C865.8090507@subisu.net.np>

.....................                           .....................
  ...   MPLS PE ...          MPLS Core           ..  MPLS PE    ..
.......................                         ....................
    -                                                -
    -                                                -
    -                                                -
    -                                                -
    -         -------------------------             -
        ----------   Catalyst 2950 (CE)---------------------
                  ---------------------------



Dear All,

Above is my network diagram. Being an ISP, I am willing to give 
Redundant  VPLS to customer (creating and binding vsi/vpls to CE 
connected interface on PE) with the topology shown .

If I don't run STP protection for the loop between PEs and non-mpls 
Catalyst 2950 (CE) shown in figure, is there any mechanism in VPLS (like 
mac-withdrawal.etc) that defines these two arms of Cisco2950 to be 
primary and secondary link thereby  keeping one of the  port of 2950 
Catalyst in down state protecting the loop. And automatic switch over 
for link failure.

Regards,
Khara Nanda Luitel.


From dr at cluenet.de  Thu Dec  4 07:56:47 2008
From: dr at cluenet.de (Daniel Roesen)
Date: Thu, 4 Dec 2008 13:56:47 +0100
Subject: [c-nsp] 7602VXR NPE-G1
In-Reply-To: <1fb747910812040343i31be83f6gd8110f080dd060c2@mail.gmail.com>
References: <4937B918.80707@infopact.nl>
	<1fb747910812040343i31be83f6gd8110f080dd060c2@mail.gmail.com>
Message-ID: <20081204125647.GA18021@srv03.cluenet.de>

On Thu, Dec 04, 2008 at 11:43:13AM +0000, Marko Milivojevic wrote:
> On Thu, Dec 4, 2008 at 11:03, E. Versaevel <erik at infopact.nl> wrote:
> > Hello,
> >
> > I've got a 7206VXR with NPE-G1 configured for PPPoA termination, we recieve the VC's over an STM-1 and terminate them into various vrf's (for VPN) or
> > into the global routing table (for internet).
> > We are currently experiencing high cpu load (>80%) and some slow CLI access. We have about 2500 sessions on the box using up to 120 Mbit @ 30k packets/s
> 
> From personal experience, what you are seeing are the limits of G1 in
> that role.

Agreed. The performance is in line with what we see here from our G1s in
the same role.

Best regards,
Daniel

-- 
CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0

From dr at cluenet.de  Thu Dec  4 07:57:39 2008
From: dr at cluenet.de (Daniel Roesen)
Date: Thu, 4 Dec 2008 13:57:39 +0100
Subject: [c-nsp] 7602VXR NPE-G1
In-Reply-To: <4937C1FC.7030407@infopact.nl>
References: <4937B918.80707@infopact.nl> <4937C1FC.7030407@infopact.nl>
Message-ID: <20081204125739.GB18021@srv03.cluenet.de>

On Thu, Dec 04, 2008 at 12:41:48PM +0100, E. Versaevel wrote:
> I've also been looking into the ASR 1000 series as a replacement/expansion.
> However it doesn't seem to support PPPoA, that's one major show stopper for us.

That's announced for RLS3, expected in january (or so...).

Best regards,
Daniel

-- 
CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0

From erik at infopact.nl  Thu Dec  4 08:53:15 2008
From: erik at infopact.nl (E. Versaevel)
Date: Thu, 04 Dec 2008 14:53:15 +0100
Subject: [c-nsp] 7602VXR NPE-G1
In-Reply-To: <20081204125739.GB18021@srv03.cluenet.de>
References: <4937B918.80707@infopact.nl> <4937C1FC.7030407@infopact.nl>
	<20081204125739.GB18021@srv03.cluenet.de>
Message-ID: <4937E0CB.5030603@infopact.nl>

Daniel Roesen schreef:
> On Thu, Dec 04, 2008 at 12:41:48PM +0100, E. Versaevel wrote:
>> I've also been looking into the ASR 1000 series as a replacement/expansion.
>> However it doesn't seem to support PPPoA, that's one major show stopper for us.
> 
> That's announced for RLS3, expected in january (or so...).
> 
> Best regards,
> Daniel
> 
Daniel,

Where did you get that information?
Is there a list of functions/features expected in RLS3 ?


Erik Versaevel



From hostmaster at retarus.de  Thu Dec  4 09:37:02 2008
From: hostmaster at retarus.de (hostmaster)
Date: Thu, 4 Dec 2008 14:37:02 +0000 (UTC)
Subject: [c-nsp] 12.4(20)T oddities
References: <64396C74FCE435468BE2AF5A73F9C2FD599B09@chmaexch.chelmer.co.nz>
	<42F0C766A9A8DB47B5E86CA64738DC8B01905990@bilbo.bdhz.c2c.local>
	<afa2a8cd0808311523o15862ee0pbbaaefd56110dd99@mail.gmail.com>
Message-ID: <loom.20081204T142848-836@post.gmane.org>

i saw this issues too. which previous code hasn't this issue?

Lala Lander <sshafi <at> gmail.com> writes:

i saw issues with iBGP sessions...I kept receiving this messages for iBGP
sessions till I went back to my previous code.

*Aug  7 02:07:45: %BGP-3-NOTIFICATION: sent to neighbor x.x.x.x 1/2 (illegal
header length) 2 bytes 1001
 
Thanks,
 



From mm at math.pub.ro  Thu Dec  4 13:45:54 2008
From: mm at math.pub.ro (mm-tech)
Date: Thu, 4 Dec 2008 20:45:54 +0200 (EET)
Subject: [c-nsp] bgp weird issue
In-Reply-To: <7FEDD455961B164D8C4EEA60E22914205B87C41AAB@EXCHANGE1.intranet.iseek.c
	om.au>
References: <C55875A9.33533%mksmith@adhost.com>
	<3176.79.118.191.161.1228120451.squirrel@ssl.math.pub.ro>
	<4356.86.121.173.196.1228375784.squirrel@ssl.math.pub.ro>
	<7FEDD455961B164D8C4EEA60E22914205B87C41AAB@EXCHANGE1.intranet.iseek.com.au>
Message-ID: <2736.86.121.175.25.1228416354.squirrel@ssl.math.pub.ro>

Hi,

Yes, I'm still trying to find out more details about rpf...

But now, I ran into another issue: router1 is preferring the default route
from router2. In other words, once the iBGP relationship is established,
the default route (62.217.x.x) from router1 becomes router2's IP address
(91.195.X.1). Everything works fine, but all the traffic goes out through
router2.

Do you know how can I fix this issue? I want router1 to keep its default
route after the iBGP comes up.

Thanks,
john

> hi,
>
> perhaps rather than just turn it off outright, investigate rpf loose?
>
> that will still allow you to have asymmetric traffic flows and drop
> traffic from bogon address space.
>
> you may still find you get some packet loss where icmp echo replies are
> returned from mpls interfaces that arent advertised, depending on your
> upstream/peer networks, but imho for the most part it works just fine.
>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
>> bounces at puck.nether.net] On Behalf Of mm-tech
>> Sent: Thursday, 4 December 2008 5:30 PM
>> To: mm at math.pub.ro
>> Cc: cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] bgp weird issue
>>
>> Hi guys,
>>
>> I've finally solved out the mystery with that /29 subnet being blocked
>> after the iBGP relationship came up.
>> It was because of the "ip verify unicast reverse-path" option enabled on
>> Router1 on the interfaces connecting the router to the ISPA.
>> I had this option enabled to prevent ip spoofing, but it seems that it
>> affects in a negative way iBGP, BGP being a unicast protocol.
>>
>> Thanks,
>> john
>>
>> >> Hello John:
>> >>
>> >>
>> >> On 11/30/08 10:32 AM, "mm-tech" <mm at math.pub.ro> wrote:
>> >>
>> >> <snip>
>> >>
>> >>> The issue is after I configure the iBGP relationship between Router1
>> >>> and
>> >>> Router2: connectivity to the 62.217.X.X/29 subnet on Router1 is
>> lost.
>> >>> It
>> >>> cannot be pinged anymore from outside. The 91.195.X.X/23 is
>> announced
>> >>> correctly through both ISPs and any IP in this /23 subnet is
>> pingable
>> >>> from
>> >>> outside. They only problem is with the 62.217.X.X/29 block that
>> becomes
>> >>> unreachable after configuring the iBGP relationship and I don't
>> >>> understand
>> >>> why this is happening.
>> >>>
>> >>> Sorry for the long post and I hope you'll give me some hints -:)
>> >>>
>> >>> Thanks,
>> >>> John
>> >>>
>> >>
>> >> How is the /29 configured on router 1?  If it's being statically
>> routed
>> >> from
>> >> your ISP, then you need to have it in your IGP somehow.  Something
>> >> simple
>> >> would be:
>> >>
>> >> Interface x/x
>> >> Ip address 62.217.x.x 255.255.255.248
>> >>
>> >> Router ospf 10
>> >> Redistribute connected subnets
>> >>
>> >> More information is needed, I'm afraid.
>> >>
>> >> Regards,
>> >>
>> >> Mike
>> >>
>> >>
>> > Yes, the /29 subnet is configured on Router1 on a SVI interface. I
>> haven't
>> > tried to put this /29 into my IGP. I'll try that and I'll let you know
>> > guys.
>> >
>> > Iy you need more info, please let me know...
>> >
>> > Thanks,
>> > john
>> >
>> >
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



From oiyankok at yahoo.ca  Thu Dec  4 13:22:55 2008
From: oiyankok at yahoo.ca (ann kok)
Date: Thu, 4 Dec 2008 10:22:55 -0800 (PST)
Subject: [c-nsp] need help about network
Message-ID: <530093.16769.qm@web111314.mail.gq1.yahoo.com>

Hi 

I have problem to access this site eg: outsidewebsite.com
but this machine can work other website

I also tried to use other machine in different network to access the same website (outsidewebsite.com). It works. but those machines are not acessing    outsidewebsite.com in the same network

I am sure there is no firewall and this website won't block any 80 from outside 


I get "incorret" in the tcpdump.

Do you have any idea?

12:38:36.339248 IP (tos 0x8, ttl 64, id 54019, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.21.33786 > outsidewebsite.com.http: ., cksum 0xe114 (correct), ack 304 win 6432

12:38:36.355895 IP (tos 0x8, ttl 64, id 54020, offset 0, flags [DF], proto TCP (6), length 238) 192.168.0.21.33786 > outsidewebsite.com.http: P, cksum 0xb071 (incorrect (-> 0xf336), 206:404(198) ack 304 win 6432

Thank you


      __________________________________________________________________
Yahoo! Canada Toolbar: Search from anywhere on the web, and bookmark your favourite sites. Download it now at
http://ca.toolbar.yahoo.com.


From vinny at tellurian.com  Thu Dec  4 15:20:38 2008
From: vinny at tellurian.com (Vinny Abello)
Date: Thu, 4 Dec 2008 15:20:38 -0500
Subject: [c-nsp] need help about network
In-Reply-To: <530093.16769.qm@web111314.mail.gq1.yahoo.com>
References: <530093.16769.qm@web111314.mail.gq1.yahoo.com>
Message-ID: <15CEC87F00BB7B4CA0E904C5FCF056463F07CB3D@EXCHANGENJ1.ds.tellurian.net>

Check for something like TCP Offload on the machine where you are seeing this problem. This can often interfere with things and result in incorrect TCP checksums in packet captures. Outside of that, do you have an MTU smaller than 1500 bytes anywhere you know of in the network? It could be broken PMTU discovery due to overzealous ICMP blocking somewhere or routers with unreachables disabled completely.

-Vinny

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of ann kok
> Sent: Thursday, December 04, 2008 1:23 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] need help about network
> 
> Hi
> 
> I have problem to access this site eg: outsidewebsite.com
> but this machine can work other website
> 
> I also tried to use other machine in different network to access the
> same website (outsidewebsite.com). It works. but those machines are not
> acessing    outsidewebsite.com in the same network
> 
> I am sure there is no firewall and this website won't block any 80 from
> outside
> 
> 
> I get "incorret" in the tcpdump.
> 
> Do you have any idea?
> 
> 12:38:36.339248 IP (tos 0x8, ttl 64, id 54019, offset 0, flags [DF],
> proto TCP (6), length 40) 192.168.0.21.33786 > outsidewebsite.com.http:
> ., cksum 0xe114 (correct), ack 304 win 6432
> 
> 12:38:36.355895 IP (tos 0x8, ttl 64, id 54020, offset 0, flags [DF],
> proto TCP (6), length 238) 192.168.0.21.33786 >
> outsidewebsite.com.http: P, cksum 0xb071 (incorrect (-> 0xf336),
> 206:404(198) ack 304 win 6432
> 
> Thank you
> 
> 
> 
> __________________________________________________________________
> Yahoo! Canada Toolbar: Search from anywhere on the web, and bookmark
> your favourite sites. Download it now at
> http://ca.toolbar.yahoo.com.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From pshuleski at gmail.com  Thu Dec  4 15:40:24 2008
From: pshuleski at gmail.com (Pete S.)
Date: Thu, 4 Dec 2008 15:40:24 -0500
Subject: [c-nsp] Using generic Compact Flash in Cisco Routers...
In-Reply-To: <5d093f9a0809171714s23ba6f7ck9f04a3112fac0850@mail.gmail.com>
References: <5d093f9a0809171714s23ba6f7ck9f04a3112fac0850@mail.gmail.com>
Message-ID: <50f158990812041240s434ce701wa42a1b0801795c37@mail.gmail.com>

We purchased a Sandisk 512M CF disks which work in our sup720's, 2800's,
3700's, 3800's, 7200 npe-g1&2s.



On Wed, Sep 17, 2008 at 7:14 PM, Jonathan Charles <jonvoip at gmail.com> wrote:

> So, does it work?
>
>
>
>
> Jonathan
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From mm at math.pub.ro  Thu Dec  4 16:26:28 2008
From: mm at math.pub.ro (mm-tech)
Date: Thu, 4 Dec 2008 23:26:28 +0200 (EET)
Subject: [c-nsp] bgp weird issue
In-Reply-To: <2736.86.121.175.25.1228416354.squirrel@ssl.math.pub.ro>
References: <C55875A9.33533%mksmith@adhost.com>
	<3176.79.118.191.161.1228120451.squirrel@ssl.math.pub.ro>
	<4356.86.121.173.196.1228375784.squirrel@ssl.math.pub.ro>
	<7FEDD455961B164D8C4EEA60E22914205B87C41AAB@EXCHANGE1.intranet.iseek.com.au>
	<2736.86.121.175.25.1228416354.squirrel@ssl.math.pub.ro>
Message-ID: <3387.86.121.175.25.1228425988.squirrel@ssl.math.pub.ro>

Hi again,

I've solved it by marking the default route coming from the iBGP neighbor
w/ a local-preference of 90 and now the correct route is the default one.
Is there any other more elegant solution to this issue?

thanks,
john

> Hi,
>
> Yes, I'm still trying to find out more details about rpf...
>
> But now, I ran into another issue: router1 is preferring the default route
> from router2. In other words, once the iBGP relationship is established,
> the default route (62.217.x.x) from router1 becomes router2's IP address
> (91.195.X.1). Everything works fine, but all the traffic goes out through
> router2.
>
> Do you know how can I fix this issue? I want router1 to keep its default
> route after the iBGP comes up.
>
> Thanks,
> john
>
>> hi,
>>
>> perhaps rather than just turn it off outright, investigate rpf loose?
>>
>> that will still allow you to have asymmetric traffic flows and drop
>> traffic from bogon address space.
>>
>> you may still find you get some packet loss where icmp echo replies are
>> returned from mpls interfaces that arent advertised, depending on your
>> upstream/peer networks, but imho for the most part it works just fine.
>>
>>> -----Original Message-----
>>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
>>> bounces at puck.nether.net] On Behalf Of mm-tech
>>> Sent: Thursday, 4 December 2008 5:30 PM
>>> To: mm at math.pub.ro
>>> Cc: cisco-nsp at puck.nether.net
>>> Subject: Re: [c-nsp] bgp weird issue
>>>
>>> Hi guys,
>>>
>>> I've finally solved out the mystery with that /29 subnet being blocked
>>> after the iBGP relationship came up.
>>> It was because of the "ip verify unicast reverse-path" option enabled
>>> on
>>> Router1 on the interfaces connecting the router to the ISPA.
>>> I had this option enabled to prevent ip spoofing, but it seems that it
>>> affects in a negative way iBGP, BGP being a unicast protocol.
>>>
>>> Thanks,
>>> john
>>>
>>> >> Hello John:
>>> >>
>>> >>
>>> >> On 11/30/08 10:32 AM, "mm-tech" <mm at math.pub.ro> wrote:
>>> >>
>>> >> <snip>
>>> >>
>>> >>> The issue is after I configure the iBGP relationship between
>>> Router1
>>> >>> and
>>> >>> Router2: connectivity to the 62.217.X.X/29 subnet on Router1 is
>>> lost.
>>> >>> It
>>> >>> cannot be pinged anymore from outside. The 91.195.X.X/23 is
>>> announced
>>> >>> correctly through both ISPs and any IP in this /23 subnet is
>>> pingable
>>> >>> from
>>> >>> outside. They only problem is with the 62.217.X.X/29 block that
>>> becomes
>>> >>> unreachable after configuring the iBGP relationship and I don't
>>> >>> understand
>>> >>> why this is happening.
>>> >>>
>>> >>> Sorry for the long post and I hope you'll give me some hints -:)
>>> >>>
>>> >>> Thanks,
>>> >>> John
>>> >>>
>>> >>
>>> >> How is the /29 configured on router 1?  If it's being statically
>>> routed
>>> >> from
>>> >> your ISP, then you need to have it in your IGP somehow.  Something
>>> >> simple
>>> >> would be:
>>> >>
>>> >> Interface x/x
>>> >> Ip address 62.217.x.x 255.255.255.248
>>> >>
>>> >> Router ospf 10
>>> >> Redistribute connected subnets
>>> >>
>>> >> More information is needed, I'm afraid.
>>> >>
>>> >> Regards,
>>> >>
>>> >> Mike
>>> >>
>>> >>
>>> > Yes, the /29 subnet is configured on Router1 on a SVI interface. I
>>> haven't
>>> > tried to put this /29 into my IGP. I'll try that and I'll let you
>>> know
>>> > guys.
>>> >
>>> > Iy you need more info, please let me know...
>>> >
>>> > Thanks,
>>> > john
>>> >
>>> >
>>>
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>
>



From mojtaba.kia at gmail.com  Thu Dec  4 16:17:58 2008
From: mojtaba.kia at gmail.com (Mojtaba Kia)
Date: Thu, 4 Dec 2008 16:17:58 -0500
Subject: [c-nsp] ASR1002 and SFP-GE-T Issue
Message-ID: <8fa3eafa0812041317laedc726r56fa33a6f0ea1b3f@mail.gmail.com>

Attempting to install a SFP-GE-T transceiver on an ASR1002 router's built-in
GE port. The lead time to get Factory SFPs from Cisco is about 2-3 weeks,
got my hand on couple of third-party vendor SFP-GE-T transceivers and even
though the router recognize the SFP , layer and II will not come up.
Has anyone had experience similar to this and might know what is the cause.
I have tested the SFPs on the 4948 Switches and they come up and work fine,
so I know the SFPs are not defective.
Any help is greatly appreciated

From cocconi at canl.net  Thu Dec  4 16:20:03 2008
From: cocconi at canl.net (Alain Cocconi)
Date: Fri, 5 Dec 2008 08:20:03 +1100
Subject: [c-nsp] 7602VXR NPE-G1
In-Reply-To: <4937B918.80707@infopact.nl>
References: <4937B918.80707@infopact.nl>
Message-ID: <004601c95656$12e0ac20$38a20460$@net>

I've NPE-G1 with 3k PPPoE & PPPoA and it uses only 40% CPU.
It seems that you use 58% of the 80% CPU usage for ACL only if I'm not wrong
(80%/58%)
May be you can check your config about this ?

Alain Cocconi



-----Message d'origine-----
De?: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] De la part de E. Versaevel
Envoy??: jeudi 4 d?cembre 2008 22:04
??: cisco-nsp at puck.nether.net
Objet?: [c-nsp] 7602VXR NPE-G1

Hello,

I've got a 7206VXR with NPE-G1 configured for PPPoA termination, we recieve
the VC's over an STM-1 and terminate them into various vrf's (for VPN) or
into the global routing table (for internet).
We are currently experiencing high cpu load (>80%) and some slow CLI access.
We have about 2500 sessions on the box using up to 120 Mbit @ 30k packets/s

CPU utilization for five seconds: 80%/58%; one minute: 84%; five minutes:
77%
 PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
  78   443181316-1276820381          0  6.12%  5.32%  4.89%   0 IP Input
 247   449268424 641021686        700  2.86%  3.35%  3.41%   0 PPP Events

Any idea on how we could debug the CPU usage ?

We've got another 7200 doing only routing an that never tops 15% CPU
usage...

Kind regards,

Erik Versaevel
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From techgrrl at gmail.com  Thu Dec  4 16:22:51 2008
From: techgrrl at gmail.com (Janet Plato)
Date: Thu, 4 Dec 2008 15:22:51 -0600
Subject: [c-nsp] Using generic Compact Flash in Cisco Routers...
In-Reply-To: <50f158990812041240s434ce701wa42a1b0801795c37@mail.gmail.com>
References: <5d093f9a0809171714s23ba6f7ck9f04a3112fac0850@mail.gmail.com>
	<50f158990812041240s434ce701wa42a1b0801795c37@mail.gmail.com>
Message-ID: <af0dc42c0812041322m4357220fn38626e3499ea6e0f@mail.gmail.com>

It's not a generic yes/no, it depends on the model of the
router/switch, the type of flash memory and the boot helper, ROMMON or
ATA monlib if used.  If you literally mean compact flash (not flash in
general), I think it just works, but I'd still read the release notes
for the platform and IOS version, since there may be size limitations,
limitations of which technology family and issues with the boot loader
on platforms that use boot helpers.  For 7200s I have had problems
with certain boot helpers not recognizing ATA style flash as opposed
to the older flash, and on 6500s I've had problems with size
limitations in older software.

The answer may be cut and dried today, but I'd read and test before
spending a lot of money,

Janet Plato

On Thu, Dec 4, 2008 at 2:40 PM, Pete S. <pshuleski at gmail.com> wrote:
> We purchased a Sandisk 512M CF disks which work in our sup720's, 2800's,
> 3700's, 3800's, 7200 npe-g1&2s.
>
>
>
> On Wed, Sep 17, 2008 at 7:14 PM, Jonathan Charles <jonvoip at gmail.com> wrote:
>
>> So, does it work?
>>
>>
>>
>>
>> Jonathan
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From dr at cluenet.de  Thu Dec  4 17:04:26 2008
From: dr at cluenet.de (Daniel Roesen)
Date: Thu, 4 Dec 2008 23:04:26 +0100
Subject: [c-nsp] ASR1002 and SFP-GE-T Issue
In-Reply-To: <8fa3eafa0812041317laedc726r56fa33a6f0ea1b3f@mail.gmail.com>
References: <8fa3eafa0812041317laedc726r56fa33a6f0ea1b3f@mail.gmail.com>
Message-ID: <20081204220426.GB5907@srv03.cluenet.de>

On Thu, Dec 04, 2008 at 04:17:58PM -0500, Mojtaba Kia wrote:
> Attempting to install a SFP-GE-T transceiver on an ASR1002 router's built-in
> GE port. The lead time to get Factory SFPs from Cisco is about 2-3 weeks,
> got my hand on couple of third-party vendor SFP-GE-T transceivers and even
> though the router recognize the SFP , layer and II will not come up.

We've seen the same here with 3rd party Copper SFPs, and "service
unsupported-transceiver" didn't help. Box didn't actually complain about
that anyway.

No problems with "Cisco" quad-price SFPs though. Perhaps they found a
new way to recognize 3rd party Cisco-coded SFPs... no clue.

The same 3rd party brand fiber SFPs have no issues.


Best regards,
Daniel

-- 
CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0

From mduksa at gmail.com  Thu Dec  4 17:51:44 2008
From: mduksa at gmail.com (Marlon Duksa)
Date: Thu, 4 Dec 2008 14:51:44 -0800
Subject: [c-nsp] 40Gbps on GSR?
Message-ID: <a89d89ac0812041451j63c600b1k410963e11a0565c5@mail.gmail.com>

Is 1281x  series router available? I read that the slot capacity is 40Gbps
(fabric upgrade to the old GSRs) but is there a line card that can handle
40Gbps? I think that the highest rate available SIP is 601 and it has 20Gbps
throughput? Can anyone confirm?Thanks,
Marlon

From clinton at scripty.com  Thu Dec  4 20:48:51 2008
From: clinton at scripty.com (Clinton Work)
Date: Thu, 04 Dec 2008 18:48:51 -0700
Subject: [c-nsp] 40Gbps on GSR?
In-Reply-To: <a89d89ac0812041451j63c600b1k410963e11a0565c5@mail.gmail.com>
References: <a89d89ac0812041451j63c600b1k410963e11a0565c5@mail.gmail.com>
Message-ID: <49388883.7090302@scripty.com>


Cisco sells a 2-port OC192 linecard for the 128xx routers, but they 
don't sell a 1-Port OC768 linecard. 

Cisco GSR POS linecards:
http://www.cisco.com/en/US/prod/collateral/routers/ps6342/product_data_sheet0900aecd803fd7b9.html

Marlon Duksa wrote:
> Is 1281x  series router available? I read that the slot capacity is 40Gbps
> (fabric upgrade to the old GSRs) but is there a line card that can handle
> 40Gbps? I think that the highest rate available SIP is 601 and it has 20Gbps
> throughput? Can anyone confirm?Thanks,
> Marlon
>   
-- 

==================================================================
Clinton Work
Airdrie, AB



From swmike at swm.pp.se  Thu Dec  4 22:02:02 2008
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Fri, 5 Dec 2008 04:02:02 +0100 (CET)
Subject: [c-nsp] 40Gbps on GSR?
In-Reply-To: <a89d89ac0812041451j63c600b1k410963e11a0565c5@mail.gmail.com>
References: <a89d89ac0812041451j63c600b1k410963e11a0565c5@mail.gmail.com>
Message-ID: <alpine.DEB.1.10.0812050400020.18782@uplift.swm.pp.se>

On Thu, 4 Dec 2008, Marlon Duksa wrote:

> 40Gbps? I think that the highest rate available SIP is 601 and it has 
> 20Gbps throughput? Can anyone confirm?Thanks, Marlon

The SIP-601 has a 12400 style backplane connection, so it's limited to 
around 12 gigabit/s.

The only 12800 linecard I am aware of currently sold, is the two port 
OC192 mentioned in another post.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From mm at math.pub.ro  Fri Dec  5 01:00:27 2008
From: mm at math.pub.ro (mm-tech)
Date: Fri, 5 Dec 2008 08:00:27 +0200 (EET)
Subject: [c-nsp] bgp weird issue
In-Reply-To: <57d3a2ac0812041940w371d372dn6e49cefec7ced7bf@mail.gmail.com>
References: <C55875A9.33533%mksmith@adhost.com>
	<3176.79.118.191.161.1228120451.squirrel@ssl.math.pub.ro>
	<4356.86.121.173.196.1228375784.squirrel@ssl.math.pub.ro>
	<7FEDD455961B164D8C4EEA60E22914205B87C41AAB@EXCHANGE1.intranet.iseek.com.au>
	<2736.86.121.175.25.1228416354.squirrel@ssl.math.pub.ro>
	<3387.86.121.175.25.1228425988.squirrel@ssl.math.pub.ro>
	<57d3a2ac0812041940w371d372dn6e49cefec7ced7bf@mail.gmail.com>
Message-ID: <4485.86.121.173.128.1228456827.squirrel@ssl.math.pub.ro>

Well, surprisingly, router1 doesn't select the eBGP defaul route and
chooses the iBGP one instead.

It's weird because the eBGP route has an administrative distance of 20 and
the iBGP has an AD of 200 and it should choose the eBGP route.

I've noticed that when marking the iBGP default route with a localpref
greater than 100, router1 still chooses the iBGP default route. If setting
the localpref value below 100, router1 selects the eBGP default route.

thanks,
john

> Are you receiving a default route from ISP-A on Router1 via BGP? If so the
> eBGP default route should always be selected over the iBGP default
> route...
> assuming you haven't modified the Administrive distances used by Router1.
>
> And there is nothing inelegant with using local-pref, this is what it is
> for
> :)
>
> On Fri, Dec 5, 2008 at 6:26 AM, mm-tech <mm at math.pub.ro> wrote:
>
>> Hi again,
>>
>> I've solved it by marking the default route coming from the iBGP
>> neighbor
>> w/ a local-preference of 90 and now the correct route is the default
>> one.
>> Is there any other more elegant solution to this issue?
>>
>> thanks,
>> john
>>
>> > Hi,
>> >
>> > Yes, I'm still trying to find out more details about rpf...
>> >
>> > But now, I ran into another issue: router1 is preferring the default
>> route
>> > from router2. In other words, once the iBGP relationship is
>> established,
>> > the default route (62.217.x.x) from router1 becomes router2's IP
>> address
>> > (91.195.X.1). Everything works fine, but all the traffic goes out
>> through
>> > router2.
>> >
>> > Do you know how can I fix this issue? I want router1 to keep its
>> default
>> > route after the iBGP comes up.
>> >
>> > Thanks,
>> > john
>> >
>> >> hi,
>> >>
>> >> perhaps rather than just turn it off outright, investigate rpf loose?
>> >>
>> >> that will still allow you to have asymmetric traffic flows and drop
>> >> traffic from bogon address space.
>> >>
>> >> you may still find you get some packet loss where icmp echo replies
>> are
>> >> returned from mpls interfaces that arent advertised, depending on
>> your
>> >> upstream/peer networks, but imho for the most part it works just
>> fine.
>> >>
>> >>> -----Original Message-----
>> >>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
>> >>> bounces at puck.nether.net] On Behalf Of mm-tech
>> >>> Sent: Thursday, 4 December 2008 5:30 PM
>> >>> To: mm at math.pub.ro
>> >>> Cc: cisco-nsp at puck.nether.net
>> >>> Subject: Re: [c-nsp] bgp weird issue
>> >>>
>> >>> Hi guys,
>> >>>
>> >>> I've finally solved out the mystery with that /29 subnet being
>> blocked
>> >>> after the iBGP relationship came up.
>> >>> It was because of the "ip verify unicast reverse-path" option
>> enabled
>> >>> on
>> >>> Router1 on the interfaces connecting the router to the ISPA.
>> >>> I had this option enabled to prevent ip spoofing, but it seems that
>> it
>> >>> affects in a negative way iBGP, BGP being a unicast protocol.
>> >>>
>> >>> Thanks,
>> >>> john
>> >>>
>> >>> >> Hello John:
>> >>> >>
>> >>> >>
>> >>> >> On 11/30/08 10:32 AM, "mm-tech" <mm at math.pub.ro> wrote:
>> >>> >>
>> >>> >> <snip>
>> >>> >>
>> >>> >>> The issue is after I configure the iBGP relationship between
>> >>> Router1
>> >>> >>> and
>> >>> >>> Router2: connectivity to the 62.217.X.X/29 subnet on Router1 is
>> >>> lost.
>> >>> >>> It
>> >>> >>> cannot be pinged anymore from outside. The 91.195.X.X/23 is
>> >>> announced
>> >>> >>> correctly through both ISPs and any IP in this /23 subnet is
>> >>> pingable
>> >>> >>> from
>> >>> >>> outside. They only problem is with the 62.217.X.X/29 block that
>> >>> becomes
>> >>> >>> unreachable after configuring the iBGP relationship and I don't
>> >>> >>> understand
>> >>> >>> why this is happening.
>> >>> >>>
>> >>> >>> Sorry for the long post and I hope you'll give me some hints -:)
>> >>> >>>
>> >>> >>> Thanks,
>> >>> >>> John
>> >>> >>>
>> >>> >>
>> >>> >> How is the /29 configured on router 1?  If it's being statically
>> >>> routed
>> >>> >> from
>> >>> >> your ISP, then you need to have it in your IGP somehow.
>> Something
>> >>> >> simple
>> >>> >> would be:
>> >>> >>
>> >>> >> Interface x/x
>> >>> >> Ip address 62.217.x.x 255.255.255.248
>> >>> >>
>> >>> >> Router ospf 10
>> >>> >> Redistribute connected subnets
>> >>> >>
>> >>> >> More information is needed, I'm afraid.
>> >>> >>
>> >>> >> Regards,
>> >>> >>
>> >>> >> Mike
>> >>> >>
>> >>> >>
>> >>> > Yes, the /29 subnet is configured on Router1 on a SVI interface. I
>> >>> haven't
>> >>> > tried to put this /29 into my IGP. I'll try that and I'll let you
>> >>> know
>> >>> > guys.
>> >>> >
>> >>> > Iy you need more info, please let me know...
>> >>> >
>> >>> > Thanks,
>> >>> > john
>> >>> >
>> >>> >
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> >>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> >>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> >>
>> >
>> >
>> >
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>



From kharananda at subisu.net.np  Fri Dec  5 00:59:22 2008
From: kharananda at subisu.net.np (kharananda)
Date: Fri, 05 Dec 2008 11:44:22 +0545
Subject: [c-nsp] VPLS Redundency configuration help
In-Reply-To: <4937C865.8090507@subisu.net.np>
References: <4937C865.8090507@subisu.net.np>
Message-ID: <4938C33A.9060906@subisu.net.np>

Let me explain my problem briefly.

While doing multi-home VPLS, if customer CE is Catalyst 2950 (not a 
router). How do I protect L2 loop. Is there any mechanism other than STP 
protection?

Regards,
Khara Nanda Luitel.
kharananda wrote:
> .....................                           .....................
>  ...   MPLS PE ...          MPLS Core           ..  MPLS PE    ..
> .......................                         ....................
>    -                                                -
>    -                                                -
>    -                                                -
>    -                                                -
>    -         -------------------------             -
>        ----------   Catalyst 2950 (CE)---------------------
>                  ---------------------------
>
>
>
> Dear All,
>
> Above is my network diagram. Being an ISP, I am willing to give 
> Redundant  VPLS to customer (creating and binding vsi/vpls to CE 
> connected interface on PE) with the topology shown .
>
> If I don't run STP protection for the loop between PEs and non-mpls 
> Catalyst 2950 (CE) shown in figure, is there any mechanism in VPLS 
> (like mac-withdrawal.etc) that defines these two arms of Cisco2950 to 
> be primary and secondary link thereby  keeping one of the  port of 
> 2950 Catalyst in down state protecting the loop. And automatic switch 
> over for link failure.
>
> Regards,
> Khara Nanda Luitel.
>
>


From swmike at swm.pp.se  Fri Dec  5 01:47:31 2008
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Fri, 5 Dec 2008 07:47:31 +0100 (CET)
Subject: [c-nsp] bgp weird issue
In-Reply-To: <4485.86.121.173.128.1228456827.squirrel@ssl.math.pub.ro>
References: <C55875A9.33533%mksmith@adhost.com>
	<3176.79.118.191.161.1228120451.squirrel@ssl.math.pub.ro>
	<4356.86.121.173.196.1228375784.squirrel@ssl.math.pub.ro>
	<7FEDD455961B164D8C4EEA60E22914205B87C41AAB@EXCHANGE1.intranet.iseek.com.au>
	<2736.86.121.175.25.1228416354.squirrel@ssl.math.pub.ro>
	<3387.86.121.175.25.1228425988.squirrel@ssl.math.pub.ro>
	<57d3a2ac0812041940w371d372dn6e49cefec7ced7bf@mail.gmail.com>
	<4485.86.121.173.128.1228456827.squirrel@ssl.math.pub.ro>
Message-ID: <alpine.DEB.1.10.0812050744570.18782@uplift.swm.pp.se>

On Fri, 5 Dec 2008, mm-tech wrote:

> It's weird because the eBGP route has an administrative distance of 20 
> and the iBGP has an AD of 200 and it should choose the eBGP route.

Most larger networks are run with "distance bgp 200 200 200" under "router 
bgp" to remove the differentiation between eBGP and iBGP, and to make sure 
your IGP is preferred over BGP. I'd say this is highly recommended unless 
you specifically need eBGP to be best.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From Benjamin.Conconi at nok.ch  Fri Dec  5 03:09:23 2008
From: Benjamin.Conconi at nok.ch (Benjamin.Conconi at nok.ch)
Date: Fri, 5 Dec 2008 09:09:23 +0100
Subject: [c-nsp] ifIndex-table and nvram
Message-ID: <33F0FE183DE5EE429ADCF7FEA2E54761A1C50D02@VMBDN460.prod.axponet.ch>

Dear all

We have several 7606-S with RSP720. Because our field technicians aren't familiar with IOS, we've put a 512MB CF Card (disk0:) in every RSP720. My idea is, if a RSP encounters a Hardware Problem, the field technician can take a spare RSP720, pull the CF Card out of the defect RSP and push the new card with the inserted CF Card into the chassis. The Router will then boot we the old configuration. I achieved this with setting the right environement variables:

!
boot-start-marker
boot system disk0:/c7600rsp72043-advipservicesk9-mz.122-33.SRC1.bin
boot system sup-bootdisk:/c7600rsp72043-advipservicesk9-mz.122-33.SRC1.bin
boot system flash sup-bootdisk:
boot config disk0:/startup-config
boot-end-marker
!

This works fine as I can judge. Unfortunately I have seen, that the ifIndex-table rests in nvram. This means, that the ifIndex persistence is lost, if we change the RSP. Is there any solution to advise IOS to save the ifIndex-table on the CF Card (disk0:)

Kind Regards

Benjamin Conconi
Telekom-Ingenieur

Nordostschweizerische Kraftwerke AG (NOK) Netz - Nachrichtenwege/Telefon - Parkstrasse 23 - 5401 Baden
056/200 36 31 (intern 933 36 31) F 056/200 38 10
www.axpo.ch<http://www.axpo.ch/> - benjamin.conconi at nok.ch<mailto:benjamin.conconi at nok.ch>



From rekordmeister at gmail.com  Fri Dec  5 04:44:22 2008
From: rekordmeister at gmail.com (MKS)
Date: Fri, 5 Dec 2008 09:44:22 +0000
Subject: [c-nsp] option 82 and IRB
Message-ID: <fad2fb270812050144w338de1c8s6eff3a96baf7db4b@mail.gmail.com>

Hi list

I can see that cisco supports inserting option 82 on RBE
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftrbeo82.html

But can I get the cisco to insert option 82 in IRB environment ?

So instead of :
interface ATM4/0.1 point-to-point
 ip unnumbered Loopback0
 ip helper-address 172.16.1.2
 atm route-bridged ip
 pvc 88/800
  encapsulation aal5snap


We would have something like this:
interface ATM4/0.10 multipoint
 range test pvc 10/32 10/50
  vbr-nrt 536 486 100
  create on-demand
 !
 bridge-group 10
!
interface BVI10
 ip address 10.0.0.0 255.255.255.0
 ip helper-address 172.16.1.2

From zorglub421 at gmail.com  Fri Dec  5 05:56:15 2008
From: zorglub421 at gmail.com (Zorg 421)
Date: Fri, 5 Dec 2008 11:56:15 +0100
Subject: [c-nsp] site2site VPN with a dynamic IP
Message-ID: <6b546c750812050256p2b9eb3cjad4d82de10c374c4@mail.gmail.com>

Hello c-nsp,
How can I setup cisco devices (preferably IOS) to establish a site2site
IPSec VPN with one endpoint on a dynamic IP?
I prefer using pre-shared key, but any idea is welcome.

Regards.

From avayner at cisco.com  Fri Dec  5 06:43:11 2008
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Fri, 5 Dec 2008 12:43:11 +0100
Subject: [c-nsp] site2site VPN with a dynamic IP
In-Reply-To: <6b546c750812050256p2b9eb3cjad4d82de10c374c4@mail.gmail.com>
References: <6b546c750812050256p2b9eb3cjad4d82de10c374c4@mail.gmail.com>
Message-ID: <67F7C1FAF83A074AA3520D8F155782A50245AA3F@xmb-ams-331.emea.cisco.com>

Hi,

I guess you have only one side of the VPN using a dynamic IP, while the
hub site is a pre-defined IP address. Right?

For this you can take a look at Easy VPN (EzVPN)
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635
/ps6659/data_sheet_c78-457320.html
http://www.cisco.com/en/US/products/sw/secursw/ps5299/index.html
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_e
xample09186a0080808395.shtml

Another option could be DMVPN:
http://www.cisco.com/en/US/products/ps6658/index.html
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635
/ps6658/data_sheet_c78-468520.html
(you can disable branch to branch direct communication by tweaking the
NHRP config)

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Zorg 421
Sent: Friday, December 05, 2008 12:56 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] site2site VPN with a dynamic IP

Hello c-nsp,
How can I setup cisco devices (preferably IOS) to establish a site2site
IPSec VPN with one endpoint on a dynamic IP?
I prefer using pre-shared key, but any idea is welcome.

Regards.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From tim at pelican.org  Fri Dec  5 06:45:54 2008
From: tim at pelican.org (Tim Franklin)
Date: Fri, 5 Dec 2008 11:45:54 -0000 (GMT)
Subject: [c-nsp] bgp weird issue
In-Reply-To: <4485.86.121.173.128.1228456827.squirrel@ssl.math.pub.ro>
References: <C55875A9.33533%mksmith@adhost.com>
	<3176.79.118.191.161.1228120451.squirrel@ssl.math.pub.ro>
	<4356.86.121.173.196.1228375784.squirrel@ssl.math.pub.ro>
	<7FEDD455961B164D8C4EEA60E22914205B87C41AAB@EXCHANGE1.intranet.iseek.com.au>
	<2736.86.121.175.25.1228416354.squirrel@ssl.math.pub.ro>
	<3387.86.121.175.25.1228425988.squirrel@ssl.math.pub.ro>
	<57d3a2ac0812041940w371d372dn6e49cefec7ced7bf@mail.gmail.com>
	<4485.86.121.173.128.1228456827.squirrel@ssl.math.pub.ro>
Message-ID: <e2a197b534f4c98206b07cf85126ff62.squirrel@webmail.pelican.org>

On Fri, December 5, 2008 6:00 am, mm-tech wrote:

> It's weird because the eBGP route has an administrative distance of 20
> and the iBGP has an AD of 200 and it should choose the eBGP route.

NO.

The BGP best-path selection happens between *all* of the BGP routes, both
eBGP and iBGP, using all of the normal BGP metric, of which AD is NOT one.
 (E vs I is, but it's a lot further down the tree than local-pref).

Only once you've chosen a BGP best path do you compare the AD of that
route with the ADs of matching routes from other non-BGP routing protocols
to see which one makes it into the routing table, which is where the eBGP
< various-IGP < iBGP distinction comes in.

Regards,
Tim.



From saku+cisco-nsp at ytti.fi  Fri Dec  5 08:19:16 2008
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Fri, 5 Dec 2008 15:19:16 +0200
Subject: [c-nsp] ASR1002 and SFP-GE-T Issue
In-Reply-To: <20081204220426.GB5907@srv03.cluenet.de>
References: <8fa3eafa0812041317laedc726r56fa33a6f0ea1b3f@mail.gmail.com>
	<20081204220426.GB5907@srv03.cluenet.de>
Message-ID: <20081205131916.GB16057@mx.ytti.net>

On (2008-12-04 23:04 +0100), Daniel Roesen wrote:
> On Thu, Dec 04, 2008 at 04:17:58PM -0500, Mojtaba Kia wrote:
> > Attempting to install a SFP-GE-T transceiver on an ASR1002 router's built-in
> > GE port. The lead time to get Factory SFPs from Cisco is about 2-3 weeks,
> > got my hand on couple of third-party vendor SFP-GE-T transceivers and even
> > though the router recognize the SFP , layer and II will not come up.
> 
> We've seen the same here with 3rd party Copper SFPs, and "service
> unsupported-transceiver" didn't help. Box didn't actually complain about
> that anyway.
> 
> No problems with "Cisco" quad-price SFPs though. Perhaps they found a
> new way to recognize 3rd party Cisco-coded SFPs... no clue.
> 
> The same 3rd party brand fiber SFPs have no issues.

There are two types of cu-SFP from Cisco also, both work in
say 7600/LAN cards, but only one of them work in SIP/SPA, ES20.
I'm really curious what is the difference. 

I remember hearing something about SGMII standard and non-standard
port-asics.

-- 
  ++ytti

From elmi at 4ever.de  Fri Dec  5 08:29:01 2008
From: elmi at 4ever.de (Elmar K. Bins)
Date: Fri, 5 Dec 2008 14:29:01 +0100
Subject: [c-nsp] ASR1002 and SFP-GE-T Issue
In-Reply-To: <20081205131916.GB16057@mx.ytti.net>
References: <8fa3eafa0812041317laedc726r56fa33a6f0ea1b3f@mail.gmail.com>
	<20081204220426.GB5907@srv03.cluenet.de>
	<20081205131916.GB16057@mx.ytti.net>
Message-ID: <20081205132900.GM93039@ronin.4ever.de>

saku+cisco-nsp at ytti.fi (Saku Ytti) wrote:

> There are two types of cu-SFP from Cisco also, both work in
> say 7600/LAN cards, but only one of them work in SIP/SPA, ES20.
> I'm really curious what is the difference. 

Hmm, I wouldn't know.

Yet: I've tried two handsful of SFPs from "the big drawer with all the stuff",
each one of them worked (even one that was labelled "kaputt").

They all carry a "Cisco" sticker. God knows who printed that - maybe they
are all original, maybe not.

Elmi.

From asturluismi at gmail.com  Fri Dec  5 09:05:13 2008
From: asturluismi at gmail.com (luismi)
Date: Fri, 05 Dec 2008 15:05:13 +0100
Subject: [c-nsp] Alternatives to Cisco's TACACS server?
In-Reply-To: <20081120083017.17c4050e.simestd@netexpress.com>
References: <20081120083017.17c4050e.simestd@netexpress.com>
Message-ID: <1228485913.20359.1.camel@dsba-ipso>

We are using tac_plus over ubuntu and it is ok for us.
Take a look

El jue, 20-11-2008 a las 08:30 -0900, Tom Simes escribi?:
> Hi all,
> 
> We've got an aging Cisco Secure ACS install on the Windows platform
> and we're looking for alternatives.  We're only using TACACS+ for admin
> authentication into our Cisco gear (not RADIUS), but we do have a
> variety of groups defined with differing access to commands and
> equipment and our user store is LDAP so we need at least that level of
> functionality.
> 
> What are folks using these days for a TACACS+ server that they're happy
> with?
> TIA!
> 
> Tom
>  
> ======================================================================
>    "Z-80 system stack overflow.  Shut 'er down Scotty, the system's
>          sucking mud" - Error message on TRS 80 Model-16B
> 
> Tom Simes                                       simestd at netexpress.com 
> ======================================================================
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From brett at looney.id.au  Fri Dec  5 07:00:43 2008
From: brett at looney.id.au (Brett Looney)
Date: Fri, 5 Dec 2008 21:00:43 +0900
Subject: [c-nsp] site2site VPN with a dynamic IP
In-Reply-To: <6b546c750812050256p2b9eb3cjad4d82de10c374c4@mail.gmail.com>
References: <6b546c750812050256p2b9eb3cjad4d82de10c374c4@mail.gmail.com>
Message-ID: <003901c956d1$1ee09c80$5ca1d580$@id.au>

> How can I setup cisco devices (preferably IOS) to establish a
> site2site IPSec VPN with one endpoint on a dynamic IP?

Easy stuff.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_examp
le09186a0080093f86.shtml

B.


From oiyankok at yahoo.ca  Fri Dec  5 09:39:42 2008
From: oiyankok at yahoo.ca (ann kok)
Date: Fri, 5 Dec 2008 06:39:42 -0800 (PST)
Subject: [c-nsp] mtu issue
Message-ID: <243811.16585.qm@web111303.mail.gq1.yahoo.com>

Hi 

I sent mail to ask about network issue yesterday and I got the reply from newsgroup. You are quite helpful

When I set mtu1500, it works now.

but I have problem. 

In cisco configuration. configure CPE as PPPoE client. It needs to set the mty 1492. and the LAN is 1452. Now how I can do it now?



Create and config the dialer int of the cisco router for PPPoE which a negotiated IP addres and a mty size of 1492

int Dialer0
ip address negotiated
ip mtu 1492
encapsulation ppp
dial pool 1

configure the ethernet 0.0 int of the router

int ethernet 0/0
ip nat insise
ip tcp miss-adjust 1452


Thank you

===
Yeah, this is probably a mtu problem.
The router needs to set the tcp mss smaller because the packets coming back
are too big but the DF bit is set, so it can't get forwarded.
I have this problem with GRE tunnels and such where there's extra headers
involved requiring a higher MTU if the payload stays the same.

-Thanh


                         
                                                                           
                                                                           


========

Hi

I have problem to access this site eg: outsidewebsite.com
but this machine can work other website

I also tried to use other machine in different network to access the same
website (outsidewebsite.com). It works. but those machines are not acessing
outsidewebsite.com in the same network

I am sure there is no firewall and this website won't block any 80 from
outside


I get "incorret" in the tcpdump.

Do you have any idea?

12:38:36.339248 IP (tos 0x8, ttl 64, id 54019, offset 0, flags [DF], proto
TCP (6), length 40) 192.168.0.21.33786 > outsidewebsite.com.http: ., cksum
0xe114 (correct), ack 304 win 6432

12:38:36.355895 IP (tos 0x8, ttl 64, id 54020, offset 0, flags [DF], proto
TCP (6), length 238) 192.168.0.21.33786 > outsidewebsite.com.http: P, cksum
0xb071 (incorrect (-> 0xf336), 206:404(198) ack 304 win 6432

Thank you




      __________________________________________________________________
Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail.  Click on Options in Mail and switch to New Mail today or register for free at http://mail.yahoo.ca


From chloekcy2000 at yahoo.ca  Fri Dec  5 10:46:34 2008
From: chloekcy2000 at yahoo.ca (chloe K)
Date: Fri, 5 Dec 2008 10:46:34 -0500 (EST)
Subject: [c-nsp] 3550 password recovery
Message-ID: <904819.44794.qm@web57410.mail.re1.yahoo.com>

Hi
   
  I need to recover the pw in 3550. I visit to http://www.cisco.com/en/US/products/hw/switches/ps628/products_password_recovery09186a0080094184.shtml
   
  I have problem in step 6 "dir flash"
   
  the switch is showing:
  "unable to stat flash/: permission denied"
   
  switch: dir           
  List of filesystems currently registered:                                         
                 flash[0]: (read-write)                                     
              xmodem[1]: (read-only)                                    
                null[2]: (read-write)                                     
                  bs[3]: (read-only) 
   
   
   
  switch: flash_init
  Initializing Flash...
  flashfs[0]: 16 files, 3 directories
  flashfs[0]: 0 orphaned files, 0 orphaned directories
  flashfs[0]: Total bytes: 3612672
  flashfs[0]: Bytes used: 3251712
  flashfs[0]: Bytes available: 360960
  flashfs[0]: flashfs fsck took 5 seconds.
  ...done Initializing Flash.
  Boot Sector Filesystem (bs:) installed, fsid: 3
  Parameter Block Filesystem (pb:) installed, fsid: 4
  switch: load_helper
  switch: d dir flash
  unable to stat flash/: permission denied
  switch: 

       
---------------------------------
Now with a new friend-happy design! Try the new Yahoo! Canada Messenger

From justin at justinshore.com  Fri Dec  5 12:41:43 2008
From: justin at justinshore.com (Justin Shore)
Date: Fri, 05 Dec 2008 11:41:43 -0600
Subject: [c-nsp] 3550 password recovery
In-Reply-To: <904819.44794.qm@web57410.mail.re1.yahoo.com>
References: <904819.44794.qm@web57410.mail.re1.yahoo.com>
Message-ID: <493967D7.8050605@justinshore.com>

Read step 6 more closely.  You omitted the the colon after "flash". 
There's a warning the follows on the next line as well:

"
6. Issue the dir flash: command.

Note: Make sure to type a colon ":" after the dir flash.
"

"dir flash" tries to dir a file named "flash" on the filesystem named 
"flash:" (ie flash:/flash).

Use "dir ?" for assistance in matter like this.  It lists the explicit 
arguments you have available for use.  Also, making use of tab 
completion will avoid typos like these that we all tend to make.

"dir fl<TAB>"

Justin


chloe K wrote:
> Hi
>    
>   I need to recover the pw in 3550. I visit to http://www.cisco.com/en/US/products/hw/switches/ps628/products_password_recovery09186a0080094184.shtml
>    
>   I have problem in step 6 "dir flash"
>    
>   the switch is showing:
>   "unable to stat flash/: permission denied"
>    
>   switch: dir           
>   List of filesystems currently registered:                                         
>                  flash[0]: (read-write)                                     
>               xmodem[1]: (read-only)                                    
>                 null[2]: (read-write)                                     
>                   bs[3]: (read-only) 
>    
>    
>    
>   switch: flash_init
>   Initializing Flash...
>   flashfs[0]: 16 files, 3 directories
>   flashfs[0]: 0 orphaned files, 0 orphaned directories
>   flashfs[0]: Total bytes: 3612672
>   flashfs[0]: Bytes used: 3251712
>   flashfs[0]: Bytes available: 360960
>   flashfs[0]: flashfs fsck took 5 seconds.
>   ...done Initializing Flash.
>   Boot Sector Filesystem (bs:) installed, fsid: 3
>   Parameter Block Filesystem (pb:) installed, fsid: 4
>   switch: load_helper
>   switch: d dir flash
>   unable to stat flash/: permission denied
>   switch: 
> 
>        
> ---------------------------------
> Now with a new friend-happy design! Try the new Yahoo! Canada Messenger
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From chloekcy2000 at yahoo.ca  Fri Dec  5 12:47:48 2008
From: chloekcy2000 at yahoo.ca (chloe K)
Date: Fri, 5 Dec 2008 12:47:48 -0500 (EST)
Subject: [c-nsp] 3550 switch password question
Message-ID: <566397.92253.qm@web57412.mail.re1.yahoo.com>

Hi 
   
  Thank you for your help. I can recovery the password
   
  Now I have question about password
   
  1/ When I boot up the switch, the switch can be accessed by console without password in user mode
   
  ls it normal?
   
  switch>
   
  2/ I use the following guidline to setup the password.
  What is the different between "enable secret" and "enable password"
  which one is super usermode?
   
  Thank you
   
   
   
  !--- To overwrite existing secret password
  Sw1(config)#enable secret <new_secret_password>
   
  !--- To overwrite existing enable password
  Sw1(config)#enable password <new_enable_password>
   
  !--- To overwrite existing vty password
  Sw1(config)#line vty 0 15
Sw1(config-line)#password <new_vty_password>
  Sw1(config-line)#login
  
!--- To overwrite existing console password
  Sw1(config-line)#line con 0
Sw1(config-line)#password <new_console_password>
   

       
---------------------------------
Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail 

From md at bts.sk  Fri Dec  5 14:03:27 2008
From: md at bts.sk (=?UTF-8?Q?Marian_=C4=8Eurkovi=C4=8D?=)
Date: Fri, 5 Dec 2008 20:03:27 +0100
Subject: [c-nsp] ASR1002 and SFP-GE-T Issue
In-Reply-To: <20081205131916.GB16057@mx.ytti.net>
References: <8fa3eafa0812041317laedc726r56fa33a6f0ea1b3f@mail.gmail.com>
	<20081204220426.GB5907@srv03.cluenet.de>
	<20081205131916.GB16057@mx.ytti.net>
Message-ID: <20081205190155.M55695@bts.sk>

On Fri, 5 Dec 2008 15:19:16 +0200, Saku Ytti wrote
> On (2008-12-04 23:04 +0100), Daniel Roesen wrote:
> > On Thu, Dec 04, 2008 at 04:17:58PM -0500, Mojtaba Kia wrote:
> > > Attempting to install a SFP-GE-T transceiver on an ASR1002 router's built-in
> > > GE port. The lead time to get Factory SFPs from Cisco is about 2-3 weeks,
> > > got my hand on couple of third-party vendor SFP-GE-T transceivers and even
> > > though the router recognize the SFP , layer and II will not come up.
> > 
> > We've seen the same here with 3rd party Copper SFPs, and "service
> > unsupported-transceiver" didn't help. Box didn't actually complain about
> > that anyway.
> > 
> > No problems with "Cisco" quad-price SFPs though. Perhaps they found a
> > new way to recognize 3rd party Cisco-coded SFPs... no clue.
> > 
> > The same 3rd party brand fiber SFPs have no issues.
> 
> There are two types of cu-SFP from Cisco also, both work in
> say 7600/LAN cards, but only one of them work in SIP/SPA, ES20.
> I'm really curious what is the difference.
> 
> I remember hearing something about SGMII standard and non-standard
> port-asics.

One type emulates fiber SFP and should work in all cases (at 1 Gbps) as the
port does not have to perform anything special.

The other type can do 10/100/1000, but the port must support SGMII mode
which is probably not available in all card types and apparently not enabled
for 3-rd party units.

For more detail see e.g. Finisar's spec and appnotes for cu-SFPs.

  With kind regards,

       M. 

From sdanelli at gmail.com  Fri Dec  5 16:31:43 2008
From: sdanelli at gmail.com (Sergio D.)
Date: Fri, 5 Dec 2008 14:31:43 -0700
Subject: [c-nsp] System MTU on 4948
Message-ID: <aa2d13130812051331k13519605ja7063be54842bdb6@mail.gmail.com>

Hello,
Does anyone know if a reload is needed after setting the system mtu on a
4948 running cat4500-ipbase-mz.122-31.SGA4.bin?
thanks,

-- 
Sergio Danelli

From mduksa at gmail.com  Fri Dec  5 17:57:06 2008
From: mduksa at gmail.com (Marlon Duksa)
Date: Fri, 5 Dec 2008 14:57:06 -0800
Subject: [c-nsp] lsp ping between JNPR and Cisco
Message-ID: <a89d89ac0812051457q2e7db794u24a733e8fb4a56a9@mail.gmail.com>

Our RSVP tunnel endpoints are JNPR boxes (M320) and a transit node is Cisco
(7600). When we try to initiate MPLS ping from JNPR to JNPR through Cisco,
the mpls ping fails.
The reason is that JNPR is always setting IP TTL as 1. Since the Cisco is a
penultimate node, it strips the label, decrement the IP TTL (to 0) and send
the packet to JNPR. JNPR discards it since the IP TTL is 0.

Does anyone know if there is any workaround to this?

It looks to me that the only option is to try to set the IP TTL in MPLS ping
from ingress JNPR to something > 0. Unfortunately there is no provision that
would allow us to do this.
On the other hand, Cisco won't honor 'no-ttl-decrement' statement on the
penultimate if MPLS TTL is greater then the IP TTL (which currently is since
JNPR MPLS TTL is set to 255).


Thanks,
Marlon

From markom at markom.info  Fri Dec  5 17:59:21 2008
From: markom at markom.info (Marko Milivojevic)
Date: Fri, 5 Dec 2008 22:59:21 +0000
Subject: [c-nsp] System MTU on 4948
In-Reply-To: <aa2d13130812051331k13519605ja7063be54842bdb6@mail.gmail.com>
References: <aa2d13130812051331k13519605ja7063be54842bdb6@mail.gmail.com>
Message-ID: <1fb747910812051459p549dd8bek7672fda7ce55e2f0@mail.gmail.com>

On Fri, Dec 5, 2008 at 21:31, Sergio D. <sdanelli at gmail.com> wrote:
> Hello,
> Does anyone know if a reload is needed after setting the system mtu on a
> 4948 running cat4500-ipbase-mz.122-31.SGA4.bin?

I am not 100% sure about the exact IOS, but I don't remember having to
reload 4948's for the system MTU change.

--
Marko
CCIE #18427 (SP)
My network blog: http://cisco.markom.info/

From dr at cluenet.de  Fri Dec  5 18:03:56 2008
From: dr at cluenet.de (Daniel Roesen)
Date: Sat, 6 Dec 2008 00:03:56 +0100
Subject: [c-nsp] ASR1002 and SFP-GE-T Issue
In-Reply-To: <20081205190155.M55695@bts.sk>
References: <8fa3eafa0812041317laedc726r56fa33a6f0ea1b3f@mail.gmail.com>
	<20081204220426.GB5907@srv03.cluenet.de>
	<20081205131916.GB16057@mx.ytti.net> <20081205190155.M55695@bts.sk>
Message-ID: <20081205230356.GA27896@srv03.cluenet.de>

On Fri, Dec 05, 2008 at 08:03:27PM +0100, Marian ??urkovi?? wrote:
> One type emulates fiber SFP and should work in all cases (at 1 Gbps) as the
> port does not have to perform anything special.
> 
> The other type can do 10/100/1000, but the port must support SGMII mode
> which is probably not available in all card types and apparently not enabled
> for 3-rd party units.

Aha, interesting. That explains... the 3rd party copper SFPs I've tried
(Finisar) unsuccessfully in SPA-5X1GE-V2 do work fine as 10/100/1000 in
3750G. The "genuine Cisco" (they are Finisar too, judging from the
serial number) do support SGMII as well, as I can set them to 100mbps
too:

asr1006#sh int g0/3/0 | i media
  Full Duplex, 100Mbps, link type is force-up, media type is T

asr1006#sh hw-module subslot 0/3 transceiver 0 idprom brief 
IDPROM for transceiver GigabitEthernet0/3/0:
  Description                               = SFP optics (type 3)
  Transceiver Type:                         = GE T (26)
  Product Identifier (PID)                  = N/A                 
  Vendor Revision                           = B 
  Serial Number (SN)                        = MTC111202FJ     
  Vendor Name                               = CISCO-METHODE   
  Vendor OUI (IEEE company ID)              = 00.00.00 (0)
  CLEI code                                 = N/A       
  Cisco part number                         = N/A       
  Device State                              = Enabled.
  Date code (yy/mm/dd)                      = 07/03/23
  Connector type                            = Unknown.
  Encoding                                  = 8B10B
                                              NRZ
  Nominal bitrate                           = GE (1300 Mbits/s)

So it really looks like SPA-5X1GE-V2 doesn't like SGMII mode only for
3rd party SPF...


Best regards,
Daniel

-- 
CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0

From sdanelli at gmail.com  Fri Dec  5 18:34:21 2008
From: sdanelli at gmail.com (Sergio D.)
Date: Fri, 5 Dec 2008 16:34:21 -0700
Subject: [c-nsp] System MTU on 4948
In-Reply-To: <1fb747910812051459p549dd8bek7672fda7ce55e2f0@mail.gmail.com>
References: <aa2d13130812051331k13519605ja7063be54842bdb6@mail.gmail.com>
	<1fb747910812051459p549dd8bek7672fda7ce55e2f0@mail.gmail.com>
Message-ID: <aa2d13130812051534g7c81afe0xbcdc7ed4a0f11f1@mail.gmail.com>

Thanks.

On Fri, Dec 5, 2008 at 3:59 PM, Marko Milivojevic <markom at markom.info>wrote:

> On Fri, Dec 5, 2008 at 21:31, Sergio D. <sdanelli at gmail.com> wrote:
> > Hello,
> > Does anyone know if a reload is needed after setting the system mtu on a
> > 4948 running cat4500-ipbase-mz.122-31.SGA4.bin?
>
> I am not 100% sure about the exact IOS, but I don't remember having to
> reload 4948's for the system MTU change.
>
> --
> Marko
> CCIE #18427 (SP)
> My network blog: http://cisco.markom.info/
>



-- 
Sergio Danelli
JNCIE #170

From chloekcy2000 at yahoo.ca  Fri Dec  5 20:12:52 2008
From: chloekcy2000 at yahoo.ca (chloe K)
Date: Fri, 5 Dec 2008 20:12:52 -0500 (EST)
Subject: [c-nsp] System MTU on 4948
In-Reply-To: <aa2d13130812051534g7c81afe0xbcdc7ed4a0f11f1@mail.gmail.com>
Message-ID: <772743.7165.qm@web57407.mail.re1.yahoo.com>

Just wandering why it needs to reboot after changing the mtu
   
  Even linux, it just uses the command "ifconfig eth0 mtu 9000"
   
  The cisco should be better than linux
   
  Thank you
   
   
  

"Sergio D." <sdanelli at gmail.com> wrote:
  Thanks.

On Fri, Dec 5, 2008 at 3:59 PM, Marko Milivojevic wrote:

> On Fri, Dec 5, 2008 at 21:31, Sergio D. wrote:
> > Hello,
> > Does anyone know if a reload is needed after setting the system mtu on a
> > 4948 running cat4500-ipbase-mz.122-31.SGA4.bin?
>
> I am not 100% sure about the exact IOS, but I don't remember having to
> reload 4948's for the system MTU change.
>
> --
> Marko
> CCIE #18427 (SP)
> My network blog: http://cisco.markom.info/
>



-- 
Sergio Danelli
JNCIE #170
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


       
---------------------------------
Now with a new friend-happy design! Try the new Yahoo! Canada Messenger

From chiwaikam at hotmail.com  Sat Dec  6 03:18:15 2008
From: chiwaikam at hotmail.com (tony kam)
Date: Sat, 6 Dec 2008 16:18:15 +0800
Subject: [c-nsp] EM_WAIT_FOR_ANSWER problem
Message-ID: <COL104-W6911B4CEE1E916B40EA45DB5FF0@phx.gbl>


Dear All,At our place we are using VIC2E&M card for intranetwork voice commn.Now from one location say...A , we are able to dial to different locations.....But from other locations we are not able to dial in to that particular location....As per our obsrvation the call is reaching the router(A)( analysed by giving "sh voice call summ" ) but still it doesnt go beyond it.....we get output as below...A>sh voice call sumPORT         CODEC    VAD VTSP STATE            VPM STATE============ ======== === ==================== ======================3/0/0         g729r8   y  S_SETUP_REQ_PROC      EM_WAIT_FOR_ANSWER3/0/1         -         -  -                     EM_ONHOOKA>Also if the person at location A, lifts the receiver and dials "9" at the same moment I place a call.....we are able to communicate for a abt 15 sec....When Epabx rx digit "9" then it will throw the control towards router...means Epabx understands that the call is made for WAN rather then LAN.-------------Configuration for ref.----------voice-port 3/0/0 operation 4-wire type 5 signal immediate cptone IN timing inter-digit 500 timing dialout-delay 70!voice-port 3/0/1 operation 4-wire type 5 signal immediate cptone IN timing inter-digit 500 timing dialout-delay 70!dial-peer cor custom!!!dial-peer voice 1 pots destination-pattern 316.. port 3/0/0 prefix #!dial-peer voice 2 pots destination-pattern 316.. port 3/0/1 prefix #!#### CREATED NECESSARY DIAL_PEERS ####-----------------------------------------Pls Suggest..Regards,Tony

From scaner at global-one.by  Sat Dec  6 05:29:29 2008
From: scaner at global-one.by (Eugene Vedistchev)
Date: Sat, 06 Dec 2008 12:29:29 +0200
Subject: [c-nsp] npe-g2 CsCsk65796
Message-ID: <493A5409.7050109@global-one.by>

I wonder if someone else upgraded to 12.2SB train to fix CSCsk65796  ?
Bug Details  NPE-G2: all rx frames counted as overruns on built-in gige.

We have upgraded software to 12.2.31SB13 on two routers, reloaded them 
and stuck with this
bug again.
Bug Toolkit provided workaround to powercycle routers.
I cannot justify for me, do powercycle with new software get rid this 
bug for us, or we encounter another bug or physical failure ?

Eugene Vedistchev


From markom at markom.info  Sat Dec  6 06:04:54 2008
From: markom at markom.info (Marko Milivojevic)
Date: Sat, 6 Dec 2008 11:04:54 +0000
Subject: [c-nsp] System MTU on 4948
In-Reply-To: <772743.7165.qm@web57407.mail.re1.yahoo.com>
References: <aa2d13130812051534g7c81afe0xbcdc7ed4a0f11f1@mail.gmail.com>
	<772743.7165.qm@web57407.mail.re1.yahoo.com>
Message-ID: <1fb747910812060304i337e8b4h2fc8e1bbe09c7b87@mail.gmail.com>

On Sat, Dec 6, 2008 at 01:12, chloe K <chloekcy2000 at yahoo.ca> wrote:
> Just wandering why it needs to reboot after changing the mtu
>
> Even linux, it just uses the command "ifconfig eth0 mtu 9000"
>
> The cisco should be better than linux

In the same sense as cargo planes should be considerably better than
blueberries, I absolutely agree with your statement.

--
Marko
CCIE #18427 (SP)
My network blog: http://cisco.markom.info/

From rodunn at cisco.com  Sat Dec  6 08:09:38 2008
From: rodunn at cisco.com (Rodney Dunn)
Date: Sat, 6 Dec 2008 08:09:38 -0500
Subject: [c-nsp] npe-g2 CsCsk65796
In-Reply-To: <493A5409.7050109@global-one.by>
References: <493A5409.7050109@global-one.by>
Message-ID: <20081206130938.GL844@rtp-cse-489.cisco.com>

Eugene,

Can you post a 'sh int' and 'sh controller' for the interface?

And 'sh ver' from the box?

Rodney

On Sat, Dec 06, 2008 at 12:29:29PM +0200, Eugene Vedistchev wrote:
> I wonder if someone else upgraded to 12.2SB train to fix CSCsk65796  ?
> Bug Details  NPE-G2: all rx frames counted as overruns on built-in gige.
> 
> We have upgraded software to 12.2.31SB13 on two routers, reloaded them 
> and stuck with this
> bug again.
> Bug Toolkit provided workaround to powercycle routers.
> I cannot justify for me, do powercycle with new software get rid this 
> bug for us, or we encounter another bug or physical failure ?
> 
> Eugene Vedistchev
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From bennetb at gmail.com  Sat Dec  6 10:37:15 2008
From: bennetb at gmail.com (Brandon Bennett)
Date: Sat, 6 Dec 2008 08:37:15 -0700
Subject: [c-nsp] System MTU on 4948
In-Reply-To: <772743.7165.qm@web57407.mail.re1.yahoo.com>
References: <772743.7165.qm@web57407.mail.re1.yahoo.com>
Message-ID: <1ECBCA28-F88C-4D4B-8FAC-40BDFE7AC445@gmail.com>

Well the 3560 and 3750 series require a reboot after setting the  
system mtu. I am certain this is where the question originates from.

Although I am not sure with the 4948. Although I would imagine it not  
requiring a reboot.   If you get no warning then you should be fine.


-Brandon Bennett
CCIE #19406

Sent from my iPhone

On Dec 5, 2008, at 6:12 PM, chloe K <chloekcy2000 at yahoo.ca> wrote:

> Just wandering why it needs to reboot after changing the mtu
>
>  Even linux, it just uses the command "ifconfig eth0 mtu 9000"
>
>  The cisco should be better than linux
>
>  Thank you
>
>
>
>
> "Sergio D." <sdanelli at gmail.com> wrote:
>  Thanks.
>
> On Fri, Dec 5, 2008 at 3:59 PM, Marko Milivojevic wrote:
>
>> On Fri, Dec 5, 2008 at 21:31, Sergio D. wrote:
>>> Hello,
>>> Does anyone know if a reload is needed after setting the system  
>>> mtu on a
>>> 4948 running cat4500-ipbase-mz.122-31.SGA4.bin?
>>
>> I am not 100% sure about the exact IOS, but I don't remember having  
>> to
>> reload 4948's for the system MTU change.
>>
>> --
>> Marko
>> CCIE #18427 (SP)
>> My network blog: http://cisco.markom.info/
>>
>
>
>
> -- 
> Sergio Danelli
> JNCIE #170
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
> ---------------------------------
> Now with a new friend-happy design! Try the new Yahoo! Canada  
> Messenger
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From furry13 at gmail.com  Sat Dec  6 19:27:06 2008
From: furry13 at gmail.com (Jen Linkova)
Date: Sun, 7 Dec 2008 11:27:06 +1100
Subject: [c-nsp] 3550 switch password question
In-Reply-To: <566397.92253.qm@web57412.mail.re1.yahoo.com>
References: <566397.92253.qm@web57412.mail.re1.yahoo.com>
Message-ID: <6b86f99d0812061627j1e750d32pa688cff63f42d406@mail.gmail.com>

On Sat, Dec 6, 2008 at 4:47 AM, chloe K <chloekcy2000 at yahoo.ca> wrote:
>  1/ When I boot up the switch, the switch can be accessed by console without password in user mode
>
>  ls it normal?

Absolutely. It's a default configuration which allows you to access
the switch and configure it.
You need to configure authentication as well as other options before
placing the switch in the production environment.

>  2/ I use the following guidline to setup the password.
>  What is the different between "enable secret" and "enable password"
>  which one is super usermode?

The difference is an encryption algorithm. It's recommended to use
'enable secret' (and don't forget 'service password encryption'
command ;-)

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfpass.html#wp1000927

-- 
SY, Jen Linkova aka Furry

From jmaimon at ttec.com  Sat Dec  6 20:08:12 2008
From: jmaimon at ttec.com (Joe Maimon)
Date: Sat, 06 Dec 2008 20:08:12 -0500
Subject: [c-nsp] 3550 switch password question
In-Reply-To: <6b86f99d0812061627j1e750d32pa688cff63f42d406@mail.gmail.com>
References: <566397.92253.qm@web57412.mail.re1.yahoo.com>
	<6b86f99d0812061627j1e750d32pa688cff63f42d406@mail.gmail.com>
Message-ID: <493B21FC.7060406@ttec.com>



Jen Linkova wrote:
> On Sat, Dec 6, 2008 at 4:47 AM, chloe K <chloekcy2000 at yahoo.ca> wrote:
>>  1/ When I boot up the switch, the switch can be accessed by console without password in user mode
>>
>>  ls it normal?
> 
> Absolutely. It's a default configuration which allows you to access
> the switch and configure it.
> You need to configure authentication as well as other options before
> placing the switch in the production environment.

You wont have network access to it until you configure authentication.

Skip the passwords on the vty lines, just configure aaa with local user 
accounts

> 
>>  2/ I use the following guidline to setup the password.
>>  What is the different between "enable secret" and "enable password"
>>  which one is super usermode?

In IOS, passwords arent secret. So use secret.

> 
> The difference is an encryption algorithm. It's recommended to use
> 'enable secret' (and don't forget 'service password encryption'
> command ;-)
> 
> http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfpass.html#wp1000927
> 

From gert at greenie.muc.de  Sun Dec  7 04:23:05 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Sun, 7 Dec 2008 10:23:05 +0100
Subject: [c-nsp] SXI out
In-Reply-To: <20081113154732.GA57592@puck.nether.net>
References: <20081113005318.GA76126@puck.nether.net>
	<6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net>
	<6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com>
	<20081113154732.GA57592@puck.nether.net>
Message-ID: <20081207092305.GI8535@greenie.muc.de>

Hi,

On Thu, Nov 13, 2008 at 10:47:32AM -0500, Jared Mauch wrote:
> 	I suspect SXI is highly deployable. :)

Just to add a data point to this.  So far, our test SXI box (semi-production,
not "only lab") has been exceedingly well-behaved - IPv4, IPv6, BGP, EIGRP,
OSPFv3, MPLS, SNMP "just works".

Non-modular, though.  I didn't have time to test modular yet ("soon!").

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081207/da468fdb/attachment.bin>

From dentonj at gmail.com  Sun Dec  7 14:06:02 2008
From: dentonj at gmail.com (Jeffrey Denton)
Date: Sun, 7 Dec 2008 20:06:02 +0100
Subject: [c-nsp] System MTU on 4948
In-Reply-To: <aa2d13130812051331k13519605ja7063be54842bdb6@mail.gmail.com>
References: <aa2d13130812051331k13519605ja7063be54842bdb6@mail.gmail.com>
Message-ID: <8ebbd7f50812071106p122b46e2odb548cefc4396650@mail.gmail.com>

If the documentation is correct, then the answer should be no.  YMMV

In the "Catalyst 3560 Switch Software Configuration Guide Cisco IOS
Release 12.2(46)SE", page 10-29:

"If you change the system MTU size to a value smaller than the
currently configured routing MTU size, the configuration change is
accepted, but not applied until the next switch reset."

In the "Catalyst 4500 Series Switch Cisco IOS Software Configuration
Guide Release 12.2(46)SG" (Cisco's website mentions "Catalyst 4900 and
4500 switches share configuration information"), I didn't see the same
warning.  See page 24-5 on System MTU.  Pages 6-20 and 6-21 discuss
MTU and Jumbo Frame support.  Page 29-8 discusses configuring IP MTU
sizes on layer 3 interfaces.



On 12/5/08, Sergio D. <sdanelli at gmail.com> wrote:
> Hello,
>  Does anyone know if a reload is needed after setting the system mtu on a
>  4948 running cat4500-ipbase-mz.122-31.SGA4.bin?
>  thanks,
>
>
>  --
>  Sergio Danelli
>  _______________________________________________
>  cisco-nsp mailing list  cisco-nsp at puck.nether.net
>  https://puck.nether.net/mailman/listinfo/cisco-nsp
>  archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From A.L.M.Buxey at lboro.ac.uk  Sun Dec  7 16:49:55 2008
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Sun, 7 Dec 2008 21:49:55 +0000
Subject: [c-nsp] SXI out
In-Reply-To: <20081207092305.GI8535@greenie.muc.de>
References: <20081113005318.GA76126@puck.nether.net>
	<6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net>
	<6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com>
	<20081113154732.GA57592@puck.nether.net>
	<20081207092305.GI8535@greenie.muc.de>
Message-ID: <20081207214955.GA4822@lboro.ac.uk>

Hi,

> Just to add a data point to this.  So far, our test SXI box (semi-production,
> not "only lab") has been exceedingly well-behaved - IPv4, IPv6, BGP, EIGRP,
> OSPFv3, MPLS, SNMP "just works".
> 
> Non-modular, though.  I didn't have time to test modular yet ("soon!").

same story here - non modular SXI bahaving itself so far - we
had to jump over after SXH3a spontaneously rebooted after enabled 
IPv6 on a vlan and turing on ND supression :-(

alan

From sf at lists.esoteric.ca  Mon Dec  8 04:28:55 2008
From: sf at lists.esoteric.ca (Stephen Fulton)
Date: Mon, 08 Dec 2008 04:28:55 -0500
Subject: [c-nsp] SXI out
In-Reply-To: <20081207092305.GI8535@greenie.muc.de>
References: <20081113005318.GA76126@puck.nether.net>	<6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net>	<6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com>	<20081113154732.GA57592@puck.nether.net>
	<20081207092305.GI8535@greenie.muc.de>
Message-ID: <493CE8D7.3080501@lists.esoteric.ca>

Gert, et al:

No issues here, non-modular, semi-production ME6524.  IPv4, SNMP, BGP (full 
table filtered by RIR allocation), MPLS.  IPv6 soon.  SCP works.  So far, so good.

-- S.

Gert Doering wrote:
> Hi,
> 
> On Thu, Nov 13, 2008 at 10:47:32AM -0500, Jared Mauch wrote:
>> 	I suspect SXI is highly deployable. :)
> 
> Just to add a data point to this.  So far, our test SXI box (semi-production,
> not "only lab") has been exceedingly well-behaved - IPv4, IPv6, BGP, EIGRP,
> OSPFv3, MPLS, SNMP "just works".
> 
> Non-modular, though.  I didn't have time to test modular yet ("soon!").
> 
> gert
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From richard.halfpenny at exa-networks.co.uk  Mon Dec  8 08:50:07 2008
From: richard.halfpenny at exa-networks.co.uk (Richard Halfpenny)
Date: Mon, 08 Dec 2008 13:50:07 +0000
Subject: [c-nsp] Cisco 1841 Maximum IPSEC Tunnels
Message-ID: <493D260F.2000608@exa-networks.co.uk>

Hi Guys,

Does anyone have any real-world figures for the maximum number of IPSEC 
tunnels it is possible to run concurrently on an 1841 without the 
additional VPN/SSL AIM?

The following doc indicates 800 with the AIM:
http://www.cisco.com/en/US/prod/collateral/routers/ps5853/data_sheet_vpn_aim_for_18128003800routers_ps5853_Products_Data_Sheet.html

Is 300 tunnels a reasonable figure?  Traffic to this headend would be 
exceptionally low (less than 1Mbps in either direction) from spoke sites 
but there are lots of them!

Regards,
Richard.

-- 
IP Network Engineering / Operations
Exa Networks Ltd :: AS30740


From ross at kallisti.us  Mon Dec  8 14:30:52 2008
From: ross at kallisti.us (Ross Vandegrift)
Date: Mon, 8 Dec 2008 14:30:52 -0500
Subject: [c-nsp] Adding connected routes in a VRF
Message-ID: <20081208193052.GA22044@kallisti.us>

Hi everyone,

In the global table, you can tell IOS to create a connected route by
statically routing a prefix out an interface.  This causes the box to
ARP for next-hops out that interface without having an address
assigned in the prefix:

ip route 10.0.0.0 255.255.255.0 Vlan1234

However, there's a syntax ambiguity when you place this in a VRF,
since this is how you leak traffic out of a VRF:

ip route vrf foobar 10.0.0.0 255.255.255.0 Vlan1234
% For VPN routes, must specify a next hop IP address if not a point-to-point interface


Is there any way to get the global table behavior in a VRF?

Ross

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie

From oboehmer at cisco.com  Mon Dec  8 15:24:54 2008
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Mon, 8 Dec 2008 21:24:54 +0100
Subject: [c-nsp] Adding connected routes in a VRF
In-Reply-To: <20081208193052.GA22044@kallisti.us>
References: <20081208193052.GA22044@kallisti.us>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406849BC2@xmb-ams-333.emea.cisco.com>

Ross Vandegrift <> wrote on Monday, December 08, 2008 20:31:

> ip route 10.0.0.0 255.255.255.0 Vlan1234
> 
> However, there's a syntax ambiguity when you place this in a VRF,
> since this is how you leak traffic out of a VRF:
> 
> ip route vrf foobar 10.0.0.0 255.255.255.0 Vlan1234
> % For VPN routes, must specify a next hop IP address if not a
> point-to-point interface 
>
> Is there any way to get the global table behavior in a VRF?

No, the next-hop address is required..

	oli

P.S: I guess we would also require this for global if we implemented
this today..

From cisconsp at data102.com  Mon Dec  8 15:26:24 2008
From: cisconsp at data102.com (randal k)
Date: Mon, 8 Dec 2008 13:26:24 -0700
Subject: [c-nsp] 3550 12.2.25SEB4 ->12.2.44SE breaks OSPF?
Message-ID: <daf895880812081226ide82c9x495317e028f3df21@mail.gmail.com>

NSP'ers,
We recently did a maintenance to upgrade some of our aging 3550s to
newer code. After the IOS upgrade, the switch came back online and
formed OSPF adjacencies & exchanged traffic with all of our other
switches, but could not maintain one with any of our routers.

For example, the upgraded IOS switch was able to get some OSPF action
with a 3750, 4 other 3550s of various code versions, and a 3560g with
no problem. However, it would not hold one open with a 7206/NPE-G1, a
6509/Sup7203bxl and a 3845.

Gist is that it would open, the adjacency would form, and then after
25 or so retransmits the problem 3550 would close the session. The
peering routers all thought things were OK. Here is a short snippet of
the logs:

Dec  5 00:12:40 C3550 214: 00:08:11: OSPF: Rcv LS UPD from CISCO6509
on Vlan101 length 92 LSA count 1
Dec  5 00:12:40 lo0.c6509.fac01.cos 1007: Dec  5 00:12:39 MST:
%OSPF-5-ADJCHG: Process 10, Nbr C3550 on Vlan101 from LOADING to FULL,
Loading Done
Dec  5 00:12:45 C3550 215: 00:08:15: OSPF: Retransmitting request to
CISCO3845 on Vlan101
Dec  5 00:12:45 C3550 216: 00:08:15: OSPF: Send LS REQ to CISCO3845
length 1476 LSA count 123
Dec  5 00:12:45 C3550 217: 00:08:15: OSPF: Retransmitting request to
CISCO6509 on Vlan101
Dec  5 00:12:45 C3550 218: 00:08:15: OSPF: Send LS REQ to CISCO6509
length 1476 LSA count 123
*repeat for 2 minutes*
Dec  5 00:14:30 c3550 303: 00:10:00: OSPF: Send LS REQ to CISCO6509
length 1476 LSA count 123
Dec  5 00:14:35 c3550 304: 00:10:05: OSPF: Retransmitting request to
CISCO3845 on Vlan101
Dec  5 00:14:35 c3550 305: 00:10:05: OSPF: Send LS REQ to CISCO3845
length 1476 LSA count 123
Dec  5 00:14:35 c3550 306: 00:10:05: OSPF: Retransmitting request to
CISCO6509 on Vlan101
Dec  5 00:14:35 c3550 307: 00:10:05: OSPF: Send LS REQ to CISCO6509
length 1476 LSA count 123
Dec  5 00:14:39 c3550 308: 00:10:10: OSPF: Killing nbr CISCO3845 on
Vlan101 due to excessive (25) retransmissions

The 3550 states that it goes into loading/dr, loading/bdr & exstart
for the 6509,3845 & 7206 respectively. Our config is *extremely*
simple in this situation - loopback+3-4 routes per box, active
interfaces everywhere, handful of VLANs, nothing complex at all.

It is not an MTU issue; all MTUs have been verified and debugging it
shows it accepting the MTUs. (It's a legacy setup, I presume MTU=1530
is for QinQ/MPLS)
Dec  5 00:33:45 C35502655: 00:29:15: OSPF: Rcv DBD from CISCO3845 on
Vlan101 seq 0xB9C opt 0x52 flag 0x2 len 572  mtu 1500 state EXCHANGE
Dec  5 00:33:45 C35502657: 00:29:15: OSPF: Rcv DBD from CISCO3845 on
Vlan101 seq 0xB9D opt 0x52 flag 0x0 len 32  mtu 1500 state EXCHANGE
Dec  5 00:33:52 C35502675: 00:29:23: OSPF: Rcv DBD from CISCO6509 on
Vlan101 seq 0xAC9 opt 0x52 flag 0x7 len 32  mtu 1530 state EXSTART
Dec  5 00:33:52 C35502677: 00:29:23: OSPF: Rcv DBD from CISCO6509 on
Vlan101 seq 0x1956 opt 0x52 flag 0x2 len 1452  mtu 1530 state EXSTART
Dec  5 00:33:52 C35502680: 00:29:23: OSPF: Rcv DBD from CISCO6509 on
Vlan101 seq 0x1957 opt 0x52 flag 0x2 len 1452  mtu 1530 state EXCHANGE


Rolling back from 12.2.44SE -> 12.2.25SEB4 resolved the issue with no
config changes.

Any ideas? I'm more than happy to send over unedited logfiles offline.

Thanks,
Randal

From jason.plank at comcast.net  Mon Dec  8 15:27:45 2008
From: jason.plank at comcast.net (jason.plank at comcast.net)
Date: Mon, 08 Dec 2008 20:27:45 +0000
Subject: [c-nsp] Adding connected routes in a VRF
Message-ID: <120820082027.28361.493D8341000CFDAC00006EC9221357533305020E049FD202019C0E06@comcast.net>

I would hope so. :)

--
Regards,

Jason Plank
CCIE #16560
e: jason.plank at comcast.net

 -------------- Original message ----------------------
From: "Oliver Boehmer (oboehmer)" <oboehmer at cisco.com>
> Ross Vandegrift <> wrote on Monday, December 08, 2008 20:31:
> 
> > ip route 10.0.0.0 255.255.255.0 Vlan1234
> > 
> > However, there's a syntax ambiguity when you place this in a VRF,
> > since this is how you leak traffic out of a VRF:
> > 
> > ip route vrf foobar 10.0.0.0 255.255.255.0 Vlan1234
> > % For VPN routes, must specify a next hop IP address if not a
> > point-to-point interface 
> >
> > Is there any way to get the global table behavior in a VRF?
> 
> No, the next-hop address is required..
> 
> 	oli
> 
> P.S: I guess we would also require this for global if we implemented
> this today..
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From nick.jon.griffin at gmail.com  Mon Dec  8 15:50:05 2008
From: nick.jon.griffin at gmail.com (Nick Griffin)
Date: Mon, 8 Dec 2008 14:50:05 -0600
Subject: [c-nsp] Adding connected routes in a VRF
In-Reply-To: <120820082027.28361.493D8341000CFDAC00006EC9221357533305020E049FD202019C0E06@comcast.net>
References: <120820082027.28361.493D8341000CFDAC00006EC9221357533305020E049FD202019C0E06@comcast.net>
Message-ID: <a2b352c40812081250w24e5f7f5n98538af3a3b3edf@mail.gmail.com>

You have to manually add host routes as the next hop since you can't add the
router itself, another solution I found that work was this:

"BGP Support for ipv4 Prefix Import". This for me worked well, you just need
to make sure that the prefixes you wish bring in from the Global Table exist
in the BGP GRT RIB, see example below:

ip vrf VRF1
import ipv4 unicast map GLOBAL->VRF
!
router bgp 1
redistribute connected route-map CONNECTED->BGP metric 5
!
address-family ipv4 vrf VRF1
!
interface vlan X
ip address 1.1.1.1 255.255.255.0
!
ip prefix-list GLOBAL->VRF permit 1.1.1.0/24
!
route-map GLOBAL->VRF
match ip address prefix GLOBAL->VRF
!
route-map CONNECTED->BGP
match interface vlan X

The other gotcha that seemed to irritate me a bit is that when you apply the
ipv4 map to the VRF to filter your global routes, this also seems to filter
prefixes imported via other RT's as well.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc2273a/1



On Mon, Dec 8, 2008 at 2:27 PM, <jason.plank at comcast.net> wrote:

> I would hope so. :)
>
> --
> Regards,
>
> Jason Plank
> CCIE #16560
> e: jason.plank at comcast.net
>
>  -------------- Original message ----------------------
> From: "Oliver Boehmer (oboehmer)" <oboehmer at cisco.com>
> > Ross Vandegrift <> wrote on Monday, December 08, 2008 20:31:
> >
> > > ip route 10.0.0.0 255.255.255.0 Vlan1234
> > >
> > > However, there's a syntax ambiguity when you place this in a VRF,
> > > since this is how you leak traffic out of a VRF:
> > >
> > > ip route vrf foobar 10.0.0.0 255.255.255.0 Vlan1234
> > > % For VPN routes, must specify a next hop IP address if not a
> > > point-to-point interface
> > >
> > > Is there any way to get the global table behavior in a VRF?
> >
> > No, the next-hop address is required..
> >
> >       oli
> >
> > P.S: I guess we would also require this for global if we implemented
> > this today..
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From jcartier at acs.on.ca  Mon Dec  8 15:28:03 2008
From: jcartier at acs.on.ca (Jeff Cartier)
Date: Mon, 8 Dec 2008 15:28:03 -0500
Subject: [c-nsp] Combining multiple vlans into a single vlan.
Message-ID: <BCD3E762F1767C42A5226BBACDE49BFBB2BD14@loki.acs.local>

I've been recently asked by a co-worked for a solution to a scenario
where they are receiving multiple vlans from an ISP via an NNI and the
requirement is to bridge/combine them into a single vlan.


Any thoughts or comments?

 

Thanks!

 

 

 


From gert at greenie.muc.de  Mon Dec  8 16:13:19 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Mon, 8 Dec 2008 22:13:19 +0100
Subject: [c-nsp] Adding connected routes in a VRF
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406849BC2@xmb-ams-333.emea.cisco.com>
References: <20081208193052.GA22044@kallisti.us>
	<70B7A1CCBFA5C649BD562B6D9F7ED78406849BC2@xmb-ams-333.emea.cisco.com>
Message-ID: <20081208211318.GL8535@greenie.muc.de>

Hi,

On Mon, Dec 08, 2008 at 09:24:54PM +0100, Oliver Boehmer (oboehmer) wrote:
> P.S: I guess we would also require this for global if we implemented
> this today..

Don't :-) - there is useful usage cases for it.

No pretty ones, admitted, but sometimes you can't be too selective...

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081208/e853f675/attachment.bin>

From ross at kallisti.us  Mon Dec  8 16:41:04 2008
From: ross at kallisti.us (Ross Vandegrift)
Date: Mon, 8 Dec 2008 16:41:04 -0500
Subject: [c-nsp] Adding connected routes in a VRF
In-Reply-To: <a2b352c40812081250w24e5f7f5n98538af3a3b3edf@mail.gmail.com>
References: <120820082027.28361.493D8341000CFDAC00006EC9221357533305020E049FD202019C0E06@comcast.net>
	<a2b352c40812081250w24e5f7f5n98538af3a3b3edf@mail.gmail.com>
Message-ID: <20081208214104.GC22044@kallisti.us>

On Mon, Dec 08, 2008 at 02:50:05PM -0600, Nick Griffin wrote:
> You have to manually add host routes as the next hop since you can't add the
> router itself, another solution I found that work was this:
> 
> "BGP Support for ipv4 Prefix Import". This for me worked well, you just need
> to make sure that the prefixes you wish bring in from the Global Table exist
> in the BGP GRT RIB, see example below:

No, this is a different feature.  Prefix import permits you to leak
traffic out of a VRF into the global table.  I don't want traffic to
move between VPNs.  Here's a bit more complete config that better
displays the difference:


ip vrf foobar
 rd 1:1
!
interface GigabitEthernet1/1
 ip address 10.0.100.1 255.255.255.0
!
interface GigabitEthernet1/2
 ip vrf forwarding foobar
 ip address 10.0.200.1 255.255.255.0
!
! second route throws an error
ip route 192.168.100.0 255.255.255.0 GigabitEthernet1/1
ip route vrf foobar 192.168.200.0 255.255.255.0 GigabitEthernet1/2


router#show ip route 192.168.100.0
Routing entry for 192.168.100.0/24
  Known via "static", distance 1, metric 0 (connected)
  Redistributing via ospf 10
  Advertised by ospf 10 subnets
  Routing Descriptor Blocks:
  * directly connected, via GigabitEthernet1/1
      Route metric is 0, traffic share count is 1


If I have two machines connected to Gi1/1, numbered in 10.0.100.0/24,
and I assign secondary addresses from 192.168.100.0/24, those host
addresses will work fine if I know that both servers have 10.0.100.1
as the next-hop for all of their routes.

While this probably isn't a common scenario, I have a few common
server scenarios where this helps a lot in converging networks onto
fewer routers.


Ross

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie

From david at davidcoulson.net  Mon Dec  8 16:47:26 2008
From: david at davidcoulson.net (David Coulson)
Date: Mon, 08 Dec 2008 16:47:26 -0500
Subject: [c-nsp] Adding connected routes in a VRF
In-Reply-To: <20081208214104.GC22044@kallisti.us>
References: <120820082027.28361.493D8341000CFDAC00006EC9221357533305020E049FD202019C0E06@comcast.net>	<a2b352c40812081250w24e5f7f5n98538af3a3b3edf@mail.gmail.com>
	<20081208214104.GC22044@kallisti.us>
Message-ID: <493D95EE.5030007@davidcoulson.net>

I always hate this sort of configuration...

Why not just assign Gi1/2 a secondary address from your 192.168 subnet 
and make life simple? :)

Ross Vandegrift wrote:
> ip route 192.168.100.0 255.255.255.0 GigabitEthernet1/1
> ip route vrf foobar 192.168.200.0 255.255.255.0 GigabitEthernet1/2

From mduksa at gmail.com  Mon Dec  8 17:17:28 2008
From: mduksa at gmail.com (Marlon Duksa)
Date: Mon, 8 Dec 2008 14:17:28 -0800
Subject: [c-nsp] issu on ios-xr
Message-ID: <a89d89ac0812081417g10b0969j15d8968611a95127@mail.gmail.com>

Hi - does IOS-XR supports STATEFUL switchover of control plane? There is a
bunch of reference to this (RSP SSO, NSF, NSR, Gracefull Restart) but it is
not clear to me simply whether are protocol states replicated to the standby
RSP?

I'm not looking for GR protocol extensions in conjunction with NSF to
provide control plane redundancy but rather a true state replication. For
example if BGP goes down, the TCP session will never be broken between the
peers.

If this is supported, how is it called in Cisco's terms?  I don't think it
is called RSP SSO as they still refer to RSP SSO + NSF as a mean to provide
redundancy based on GR protocol extensions?

Thanks,
Marlon

From mduksa at gmail.com  Mon Dec  8 17:20:08 2008
From: mduksa at gmail.com (Marlon Duksa)
Date: Mon, 8 Dec 2008 14:20:08 -0800
Subject: [c-nsp] [j-nsp] lsp ping between JNPR and Cisco
In-Reply-To: <71D23AAE53176A4EB67247AFFADCC10C24F95FCB1C@FMAIL-CCR.synetrixhl.local>
References: <71D23AAE53176A4EB67247AFFADCC10C24F95FCB1C@FMAIL-CCR.synetrixhl.local>
Message-ID: <a89d89ac0812081420h775cc475h25aee01197d22aab@mail.gmail.com>

When we replaced Csco with JNPR box as transit LSR, the PING worked. With or
without 127.0.0.1.
Obviously there is an interop issue between Csco and JNPR, namely Cisco is
decrementing IP TTL as penultimate hop. And we don't know how to disable
this...
Thanks,
Marlon


On Sat, Dec 6, 2008 at 12:20 PM, <Daniel.Hilj at synetrix.co.uk> wrote:

> I take it that you already configured 127.0.0.1 on the loopbacks which is
> required for MPLS ping to work on Junipers?
>
> Regards
> Daniel
>
>
> -----Original Message-----
> From: Marlon Duksa <mduksa at gmail.com>
> Sent: 05 December 2008 22:57
> To: Juniper-Nsp <juniper-nsp at puck.nether.net>; cisco-nsp at puck.nether.net <
> cisco-nsp at puck.nether.net>
> Subject: [j-nsp] lsp ping between JNPR and Cisco
>
> Our RSVP tunnel endpoints are JNPR boxes (M320) and a transit node is Cisco
> (7600). When we try to initiate MPLS ping from JNPR to JNPR through Cisco,
> the mpls ping fails.
> The reason is that JNPR is always setting IP TTL as 1. Since the Cisco is a
> penultimate node, it strips the label, decrement the IP TTL (to 0) and send
> the packet to JNPR. JNPR discards it since the IP TTL is 0.
>
> Does anyone know if there is any workaround to this?
>
> It looks to me that the only option is to try to set the IP TTL in MPLS
> ping
> from ingress JNPR to something > 0. Unfortunately there is no provision
> that
> would allow us to do this.
> On the other hand, Cisco won't honor 'no-ttl-decrement' statement on the
> penultimate if MPLS TTL is greater then the IP TTL (which currently is
> since
> JNPR MPLS TTL is set to 255).
>
>
> Thanks,
> Marlon
>
>

From rekordmeister at gmail.com  Mon Dec  8 18:27:50 2008
From: rekordmeister at gmail.com (MKS)
Date: Mon, 8 Dec 2008 23:27:50 +0000
Subject: [c-nsp] option 82
Message-ID: <fad2fb270812081527g57dda1ebhf2a0c2af4806f463@mail.gmail.com>

Hi list

I'm trying to find information about how cisco formats the option 82
field in DHCP
So far I got this
http://www.ciscosystems.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/unnumber.html#wp1073190

"Type		         Format type. The value 2 specifies the format for use
with this feature. (1 byte)
Length	          	Length of the Agent Remote ID suboption, not
including the type and length fields. (1 byte)
Reserved 	         Reserved. (2 bytes)
NAS IP Address	IP address of the interface specified by the ip
unnumbered command. (4 bytes)
Interface	Physical interface. This field has the following format:
		slot (4 bits) | module (1 bit) | port (3 bits).
		For example, if the interface name is interface ethernet 2/1/1, the
slot is 2, the module is 1, and the port is 1. (1 byte)

Reserved	Reserved. (1 byte)
VLAN ID		VLAN identifier for the Ethernet interface. (2 bytes)



and this
"The option 82 format may vary from product to product. Contact the
relay agent vendor for this information. "
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gdhcpopt.html#wp1042966

I'm specifically looking for info in decoding option 82 in cisco 7600
on ethernet interfaces and 7200 on atm interfaces.

If somebody can point me the right direction that would be great, else
I have to go through tac...

Regards
MKS

From ross at kallisti.us  Mon Dec  8 18:59:17 2008
From: ross at kallisti.us (Ross Vandegrift)
Date: Mon, 8 Dec 2008 18:59:17 -0500
Subject: [c-nsp] Adding connected routes in a VRF
In-Reply-To: <493D95EE.5030007@davidcoulson.net>
References: <120820082027.28361.493D8341000CFDAC00006EC9221357533305020E049FD202019C0E06@comcast.net>
	<a2b352c40812081250w24e5f7f5n98538af3a3b3edf@mail.gmail.com>
	<20081208214104.GC22044@kallisti.us>
	<493D95EE.5030007@davidcoulson.net>
Message-ID: <20081208235917.GA24909@kallisti.us>

On Mon, Dec 08, 2008 at 04:47:26PM -0500, David Coulson wrote:
> I always hate this sort of configuration...
> 
> Why not just assign Gi1/2 a secondary address from your 192.168 subnet 
> and make life simple? :)

In an ideal world, I agree.  But suppose you can't because a legacy
architechture that you're migrating from has that /24 full of
customer-facing addresses?

Or suppose you use GLBP and need to add an n+1 th router to the
forwarding path and there's no free addressing left (see above
constraint).  This feature lets you stack a few cheaper boxes up until
you get budget cleared for an upgrade.

As was said elsewhere in the thread, it's not really pretty, but it
can be quite useful.

Ross

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie

From peter at rathlev.dk  Mon Dec  8 20:35:30 2008
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 09 Dec 2008 02:35:30 +0100
Subject: [c-nsp] Combining multiple vlans into a single vlan.
In-Reply-To: <BCD3E762F1767C42A5226BBACDE49BFBB2BD14@loki.acs.local>
References: <BCD3E762F1767C42A5226BBACDE49BFBB2BD14@loki.acs.local>
Message-ID: <1228786530.3953.2.camel@localhost.localdomain>

On Mon, 2008-12-08 at 15:28 -0500, Jeff Cartier wrote:
> I've been recently asked by a co-worked for a solution to a scenario
> where they are receiving multiple vlans from an ISP via an NNI and the
> requirement is to bridge/combine them into a single vlan.
> 
> Any thoughts or comments?

Make sure they don't mess up the providers network, in case they didn't
protect themselves well enough. :-) When that's said, you could do it
with BVIs. Or with some physical loopback cables.

Is it rude asking would one would do this? :-)

Regards,
Peter



From vikassharmas at gmail.com  Mon Dec  8 23:34:12 2008
From: vikassharmas at gmail.com (Vikas Sharma)
Date: Tue, 9 Dec 2008 10:04:12 +0530
Subject: [c-nsp] URL redirection
Message-ID: <cca140000812082034s4a7f5fb5s86a8e3d38a72c221@mail.gmail.com>

Hi,

Need advice on URL redirection. The issue is one of our customer accessing
Internet from different locations in Europe but his Internet access point
(gateway) is in UK only. Now if he tries to access google.com and gets page
google.co.uk from all locations. Now the requirement is if customer is
accessing internet from, for example frankfurt, he should get google.co.fra
not google.co.uk.

How this can be achieved with minimum configuration? Can DNS halp to achieve
this?

Regards,
Vikas Sharma

From David at Hughes.com.au  Tue Dec  9 00:22:32 2008
From: David at Hughes.com.au (David J. Hughes)
Date: Tue, 9 Dec 2008 15:22:32 +1000
Subject: [c-nsp] Netflow for 6500?
In-Reply-To: <Pine.LNX.4.64.0811302034000.18376@crisp>
References: <Pine.LNX.4.64.0811302034000.18376@crisp>
Message-ID: <14FF1968-E6A5-43AC-98D1-D76F8430EC62@Hughes.com.au>


My understanding is that netflow export has been available since Sup1  
PFC1.

However, if you are coming from a "router" platform you are in for a  
few surprises.  If you want to do per-interface netflow (i.e. specify  
the L3 interfaces you want to get data for) then you need to be  
running SXH.  There are several CCO documents that either hint or  
state that it supports per-interface on any SX code but that's not the  
case.  A recent TAC case has had some of those documents removed from  
Cisco's web site.

And running SXH sounds like a barrel of laughs from all reports.  We  
have netflow export configured on Sup720 / SXF boxes and doing a lot  
of post-processing to get rid of the data we don't want.


David
...

On 01/12/2008, at 5:36 AM, jonas at bjorklund.cn wrote:

> Hello,
>
> Which supervisors has support for Netflow on the 6500 series?
>
> SUP2?
> SUP32?
> SUP720?
>
> /Jonas
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


From oboehmer at cisco.com  Tue Dec  9 01:33:30 2008
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Tue, 9 Dec 2008 07:33:30 +0100
Subject: [c-nsp] issu on ios-xr
In-Reply-To: <a89d89ac0812081417g10b0969j15d8968611a95127@mail.gmail.com>
References: <a89d89ac0812081417g10b0969j15d8968611a95127@mail.gmail.com>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406849C1C@xmb-ams-333.emea.cisco.com>

Marlon Duksa <> wrote on Monday, December 08, 2008 23:17:

> Hi - does IOS-XR supports STATEFUL switchover of control plane? There
> is a bunch of reference to this (RSP SSO, NSF, NSR, Gracefull
> Restart) but it is not clear to me simply whether are protocol states
> replicated to the standby RSP?
> 
> I'm not looking for GR protocol extensions in conjunction with NSF to
> provide control plane redundancy but rather a true state replication.
> For example if BGP goes down, the TCP session will never be broken
> between the peers.
> 
> If this is supported, how is it called in Cisco's terms?  

What you are looking for is referred to as "NSR" (Non-Stop Routing). The
standby RP has all the required state to resume operation without any
help from peers (unlike NSF/GR). I think we ship it now for LDP and OSPF
(ISIS "nsf cisco" has always been acting pretty much like NSR, not
requiring neighbor awareness), BGP will come soon.

	oli

From avayner at cisco.com  Tue Dec  9 01:58:48 2008
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Tue, 9 Dec 2008 07:58:48 +0100
Subject: [c-nsp] URL redirection
In-Reply-To: <cca140000812082034s4a7f5fb5s86a8e3d38a72c221@mail.gmail.com>
References: <cca140000812082034s4a7f5fb5s86a8e3d38a72c221@mail.gmail.com>
Message-ID: <67F7C1FAF83A074AA3520D8F155782A5024C38E3@xmb-ams-331.emea.cisco.com>

Vikas,

Google most likely uses some kind of IP geo-lookup, and they use your
source IP to decide to which page you would be redirected.

If you want your users to appear in different countries they should be
using the local internet gateway connections... This would be the
easiest way.

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Vikas Sharma
Sent: Tuesday, December 09, 2008 06:34 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] URL redirection

Hi,

Need advice on URL redirection. The issue is one of our customer
accessing
Internet from different locations in Europe but his Internet access
point
(gateway) is in UK only. Now if he tries to access google.com and gets
page
google.co.uk from all locations. Now the requirement is if customer is
accessing internet from, for example frankfurt, he should get
google.co.fra
not google.co.uk.

How this can be achieved with minimum configuration? Can DNS halp to
achieve
this?

Regards,
Vikas Sharma
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From ariemer at wesenergy.com.au  Tue Dec  9 02:51:20 2008
From: ariemer at wesenergy.com.au (Aaron Riemer)
Date: Tue, 9 Dec 2008 16:51:20 +0900
Subject: [c-nsp] 1700 Series WIC Modules
Message-ID: <0867622C64B50C4B878AB45C95F43F110658CFDA@MAILWA01.wesenergy.local>

Hey guys,
 
Is there any easy way to work out which IOS is required for the
different WIC's available?? I have a 1751 series router that I am trying
to get a 4 port FXS card working with and I would like to know what IOS
will support it as it is currently not detected.
 
Cheers,
 
Aaron.
 
 
 
 

LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

From gert at greenie.muc.de  Tue Dec  9 03:49:36 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Tue, 9 Dec 2008 09:49:36 +0100
Subject: [c-nsp] Netflow for 6500?
In-Reply-To: <14FF1968-E6A5-43AC-98D1-D76F8430EC62@Hughes.com.au>
References: <Pine.LNX.4.64.0811302034000.18376@crisp>
	<14FF1968-E6A5-43AC-98D1-D76F8430EC62@Hughes.com.au>
Message-ID: <20081209084936.GM8535@greenie.muc.de>

Hi,

On Tue, Dec 09, 2008 at 03:22:32PM +1000, David J. Hughes wrote:
> And running SXH sounds like a barrel of laughs from all reports. 

SXH3a works very well for us.

(But of course it's not available on Sup1* or Sup2* based systems)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081209/47f37a27/attachment.bin>

From asturluismi at gmail.com  Tue Dec  9 05:20:36 2008
From: asturluismi at gmail.com (luismi)
Date: Tue, 09 Dec 2008 11:20:36 +0100
Subject: [c-nsp] Tranport Stream diagnostic software for multicast streaming
	video
Message-ID: <1228818036.8530.3.camel@dsba-ipso>

Hi all,

We have an issue here with a multicast video straming and I would like
to know if there is a software (free or open source) to do
troubleshooting in the best way possible to detect problems in the
transport stream.

I don't mind if the software runs over linux or windows.

Thanks and Regards.


From mikie.simpson at gmail.com  Tue Dec  9 09:46:17 2008
From: mikie.simpson at gmail.com (Michael Simpson)
Date: Tue, 9 Dec 2008 14:46:17 +0000
Subject: [c-nsp] IOS IPS updates
Message-ID: <82abd3a70812090646v5d333e62ia23671bfc5fa52b0@mail.gmail.com>

Hi there,

Does anyone know why the ios ips updates at
<http://www.cisco.com/cgi-bin/tablebuild.pl/ios-v5sigup> are no longer
being updated and haven't been since October?

I usually roll out updates by cli onto the 877s at our branches. Do i
now have to use CCP for this because i would rather not as i would
rather not use java or X on my openbsd boxen.

I have been trying to work this out for a while now.

thanks in advance

mike

From eric at atlantech.net  Tue Dec  9 10:43:57 2008
From: eric at atlantech.net (Eric Van Tol)
Date: Tue, 9 Dec 2008 10:43:57 -0500
Subject: [c-nsp] Route reflectors vs. confederations
Message-ID: <2C05E949E19A9146AF7BDF9D44085B863512DD8806@exchange.aoihq.local>

Hi all,
I'm wondering what the general consensus is regarding confederations as an iBGP scaling technique.  We currently utilize a complex hierarchical route reflector scheme for peering metro switches in a ring with a couple of distribution 6509s.  Some rings have 'head-end' route reflectors that have 'no client-to-client-reflection' enabled, which enables us to peer all the clients directly with each other in order to avoid routing loops on the ring.  This setup has worked pretty well for us in the past, but as more and more rings are added, it becomes more and more complicated.

I'm giving thought to confederations because the concept appears "simpler", but I've been told that confederations are a nightmare to deal with.  I haven't configured confederations outside of a very small lab environment and would like to get some real world opinions.

Thanks,
evt

From david.freedman at uk.clara.net  Tue Dec  9 13:15:49 2008
From: david.freedman at uk.clara.net (David Freedman)
Date: Tue, 9 Dec 2008 18:15:49 -0000
Subject: [c-nsp] IOS IPv6 CEF adjacencies on 12xxx
Message-ID: <FFBEC1DE79841C4C965378BBDA5913FC4CDE85@EXVS01.claranet.local>


Can anybody here give me a pointer to how these work?

I've the following setup:

      WAN
[  ]---------[  ] 
[RA]         [RB]
[  ]---------[  ]

RA is 12410 with E5 facing LAN and E2 (4 port POS card) facing WAN (12.0(32)SY4) 
RB is 12012 with E2 facing LAN and E2 (4 port POS card) facing WAN (12.0(32)S5)

both POS links are bundled so the only way for these hosts to communicate
over the bundle is ipv6ip like such:

interface Tunnel0
 description ipv6ip to rb
 no ip address
 no ip directed-broadcast
 ipv6 address 2001:db8::1/126
 ipv6 enable
 tunnel source 1.1.1.1
 tunnel destination 1.1.1.2
 tunnel mode ipv6ip
end

(IPv6 over GRE is not an option as RB would require a tunnel card)

now, the interesting thing, is that one in every three ICMP packets sent from the LAN of RA 
(E5) to the LAN of RB cause an ICMPv6 "destination unreachable" message to be sent back 
to the host from the LAN interface of RA, like such:

wkst-q5$ ping6 2001:db8:b::1
PING 2001:db8:b::1(2001:db8:b::1) 56 data bytes
64 bytes from 2001:db8:b::1: icmp_seq=1 ttl=59 time=101 ms
>From 2001:db8:a::1 icmp_seq=2 Destination unreachable: No route
>From 2001:db8:a::1 icmp_seq=3 Destination unreachable: No route
64 bytes from 2001:db8:b::1: icmp_seq=4 ttl=59 time=42.4 ms
>From 2001:db8:a::1 icmp_seq=5 Destination unreachable: No route
>From 2001:db8:a::1 icmp_seq=6 Destination unreachable: No route
64 bytes from 2001:db8:b::1: icmp_seq=7 ttl=59 time=28.6 ms


where 2001:db8:a::1  in this case is the E5 LAN facing card on RA.

Both tunnel interfaces seem to have autogenerated link local addresses:

ra#sh ipv6 int tun0
Tunnel0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::C316:9EE 
  Description: ipv6ip to ra
  Global unicast address(es):
    2001:DB8::1, subnet is 2001:DB8::/126 
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:2
    FF02::1:FF16:9EE
  MTU is 1480 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds
  Hosts use stateless autoconfig for addresses.

rb#sh ipv6 int tun0
Tunnel0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::C316:9ED 
  Description: ipv6ip to ra
  Global unicast address(es):
    2001:DB8::2, subnet is 2001:DB8::/126 
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:2
    FF02::1:FF16:9ED
  MTU is 1480 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds
  Hosts use stateless autoconfig for addresses.

Yet neither of course have an Ipv6 neighborship (not required I would imagine?)

ra#sh ipv6 neighbors tun0
IPv6 Address                              Age Link-layer Addr State Interface

rb#sh ipv6 neighbors tun0
IPv6 Address                              Age Link-layer Addr State Interface

Also, from the perspective of CEF, all seems to be ok on the surface:

ra#sh ipv6 cef tun0                     
2001:DB8:B::/48
     nexthop FE80::C316:9ED Tunnel0 
2001:DB8:1::/126
     attached to Tunnel0 

rb#sh ipv6 cef tun0                     
2001:DB8:A::/48
     nexthop FE80::C316:9ED Tunnel0 
2001:DB8:1::/126
     attached to Tunnel0 

ra#sh ipv6 cef exact-route 2001:db8:a::1 2001:db8:b::1
 2001:DB8:A::1     -> 2001:DB8:B::1 interface Tunnel0

rb#sh ipv6 cef exact-route 2001:db8:b::1 2001:db8:a::1
 2001:DB8:B::1     -> 2001:DB8:A::1 interface Tunnel0

**BUT**

if you dig deeper, you find that this isn't the case at all:

ra#execute-on slot <LANCARD> sh ipv6 cef exact-route 2001:db8:a::1 2001:db8:b::1
 2001:DB8:A::1     -> 2001:DB8:B::1 interface Tunnel0
 Adjacency is incomplete so not cef switched

ra#execute-on slot <WANCARD> sh ipv6 cef exact-route 2001:db8:a::1 2001:db8:b::1
 2001:DB8:A::1     -> 2001:DB8:B::1 interface Tunnel0
 Adjacency is incomplete so not cef switched

but this message does not appear on rb

So, it looks like the lack of adjacency is the cause, 
before I go open a TAC case (and get told to clear dCEF tables/
reboot linecards) , is there anything non-invasive I could try to debug/resolve this?

Thanks in advance. 


------------------------------------------------
David Freedman
Group Network Engineering 
Claranet Limited
http://www.clara.net


From RTeller at deltadentalwa.com  Tue Dec  9 12:43:43 2008
From: RTeller at deltadentalwa.com (Teller, Robert)
Date: Tue, 9 Dec 2008 09:43:43 -0800
Subject: [c-nsp] Cisco WCS, Radius, and Guest Administration
Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC0194A@tiger.deltadentalwa.com>

Whenever I attempt to administer "Guest Users" under WCS using an
account that was authenticated against radius I get a http 500 error. It
doesn't matter what level (group membership) the account has.

 

Has anyone else experienced this problem?


#########################################################
The information contained in this e-mail and subsequent attachments may be privileged, 
confidential and protected from disclosure.  This transmission is intended for the sole 
use of the individual and entity to whom it is addressed.  If you are not the intended 
recipient, any dissemination, distribution or copying is strictly prohibited.  If you 
think that you have received this message in error, please e-mail the sender at the above 
e-mail address.
#########################################################

From adrian.minta at gmail.com  Tue Dec  9 13:21:26 2008
From: adrian.minta at gmail.com (Adrian Minta)
Date: Tue, 09 Dec 2008 20:21:26 +0200
Subject: [c-nsp] Tranport Stream diagnostic software for multicast
 streaming video
In-Reply-To: <1228818036.8530.3.camel@dsba-ipso>
References: <1228818036.8530.3.camel@dsba-ipso>
Message-ID: <493EB726.4000000@gmail.com>

luismi wrote:
> Hi all,
>
> We have an issue here with a multicast video straming and I would like
> to know if there is a software (free or open source) to do
> troubleshooting in the best way possible to detect problems in the
> transport stream.
>
> I don't mind if the software runs over linux or windows.
>
> Thanks and Regards.
>
> _
Try vlc.
http://www.videolan.org/

-- 
Best regards,
Adrian Minta  




From jackson.tim at gmail.com  Tue Dec  9 13:25:32 2008
From: jackson.tim at gmail.com (Tim Jackson)
Date: Tue, 9 Dec 2008 12:25:32 -0600
Subject: [c-nsp] Tranport Stream diagnostic software for multicast
	streaming video
In-Reply-To: <493EB726.4000000@gmail.com>
References: <1228818036.8530.3.camel@dsba-ipso> <493EB726.4000000@gmail.com>
Message-ID: <4407932e0812091025i574ae248g35d6c7b9a641e518@mail.gmail.com>

Check out TSReader... You can get a demo that does a lot of stuff for free,
and I don't think it's too expensive anyway...

Outside of that, if you want something that handles monitoring the stuff
really well the best hardware platform is from IneoQuest:

http://www.ineoquest.com

--
Tim

On Tue, Dec 9, 2008 at 12:21 PM, Adrian Minta <adrian.minta at gmail.com>wrote:

> luismi wrote:
>
>> Hi all,
>>
>> We have an issue here with a multicast video straming and I would like
>> to know if there is a software (free or open source) to do
>> troubleshooting in the best way possible to detect problems in the
>> transport stream.
>>
>> I don't mind if the software runs over linux or windows.
>>
>> Thanks and Regards.
>>
>> _
>>
> Try vlc.
> http://www.videolan.org/
>
> --
> Best regards,
> Adrian Minta
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From denyipanyany at gmail.com  Tue Dec  9 14:04:53 2008
From: denyipanyany at gmail.com (Deny IP Any Any)
Date: Tue, 9 Dec 2008 14:04:53 -0500
Subject: [c-nsp] 'sh cdp neighbor' on IOS shows the serial of CatOS as part
	of name
Message-ID: <c979a8a40812091104i15925886n9ff8db116e3770c2@mail.gmail.com>

perhaps this is just nitpicking, but I've always hated show a 'show
cdp ne' on an IOS-based switch will show both the serial of a CatOS
switch as the name. Is there a way to change this to only show the
name of the remove device?


Example:

BW-3750-CoreSWA# show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
JAE062208PV(WH-B5-2)
                 Gig 2/0/49        149           T S      WS-C2948  2/49

The switch named WH-B5-2 is a 2948G running 8.4(11)GLX.

If I do a 'show cdp nei' from CatOS, it only shows the name.
WH-B5-1> (enable) show cdp neighbors
* - indicates vlan mismatch.
# - indicates duplex mismatch.
Port     Device-ID                       Port-ID                   Platform
-------- ------------------------------- ------------------------- ------------
 2/1     WH-B5-2                         2/1                       WS-C2948




-- 
deny ip any any (4393649193 matches)

From justin at justinshore.com  Tue Dec  9 16:28:53 2008
From: justin at justinshore.com (Justin Shore)
Date: Tue, 09 Dec 2008 15:28:53 -0600
Subject: [c-nsp] DS3 mux issues
Message-ID: <493EE315.2000103@justinshore.com>

We're staging a DS3 mux to aggregate T1s back to a PA-MC-2T3-EC in a 
7206VXR (G2) running 12.4(15)T7.  I haven't channelized a T3 before so 
I'm feeling my way through this.  It looks to be relatively simple but 
I'm getting tripped up somewhere.  On the 7206:

controller T3 1/0
  cablelength 10
  logging-events detail
  t1 1 channel-group 0 timeslots 1-24
  t1 2 channel-group 0 timeslots 1-24
  t1 3 channel-group 0 timeslots 1-24
  t1 4 channel-group 0 timeslots 1-24
  t1 5 channel-group 0 timeslots 1-24
  t1 6 channel-group 0 timeslots 1-24
  t1 7 channel-group 0 timeslots 1-24
  t1 8 channel-group 0 timeslots 1-24
  t1 9 channel-group 0 timeslots 1-24
  t1 10 channel-group 0 timeslots 1-24
  t1 11 channel-group 0 timeslots 1-24
  t1 12 channel-group 0 timeslots 1-24
  t1 13 channel-group 0 timeslots 1-24
  t1 14 channel-group 0 timeslots 1-24
  t1 15 channel-group 0 timeslots 1-24
  t1 16 channel-group 0 timeslots 1-24
  t1 17 channel-group 0 timeslots 1-24
  t1 18 channel-group 0 timeslots 1-24
  t1 19 channel-group 0 timeslots 1-24
  t1 20 channel-group 0 timeslots 1-24
  t1 21 channel-group 0 timeslots 1-24
  t1 22 channel-group 0 timeslots 1-24
  t1 23 channel-group 0 timeslots 1-24
  t1 24 channel-group 0 timeslots 1-24
  t1 25 channel-group 0 timeslots 1-24
  t1 26 channel-group 0 timeslots 1-24
  t1 27 channel-group 0 timeslots 1-24
  t1 28 channel-group 0 timeslots 1-24

I've got a spare 2811 with a VWIC-2MFT-T1 on the other end configured 
like this:

controller T1 0/1/0
  framing esf
  linecode b8zs
  cablelength short 133
  channel-group 0 timeslots 1-24
!
controller T1 0/1/1
  framing esf
  linecode b8zs
  cablelength short 133
  channel-group 0 timeslots 1-24


Clock source is internal on the 7206 and line on the 2811.  Everything 
else assumed the default settings.

In the middle is a new Wide Bank 28 that was set up by one of our telco 
guys.  He said the necessary config is minimal.

My T3 is up but I'm down/down on the serial ints on both ends.  I can 
manually loop up the 2811 at the VWIC and the int comes up.  I can loop 
it up at the biscuit jack on the 2811's side of the mux and the 
appropriate T1 on the 7206 comes up.  To me that makes me think the mux 
is fine and that both ends are fine (at least from their perspective). 
So that makes me think that something isn't matching up on the 7206 and 
2811.

The linecode on the T3 is B3ZS of course and framing for the T1 is ESF. 
    The T1 on the 2811 is B8ZS and ESF.


On the 7206:

7206-1.amherst#sh controllers t3 1/0 br
T3 1/0 is up.
   Applique type is Channelized T3/T1
   No alarms detected.
   Framing is M23, Line Code is B3ZS, Clock Source is Internal
   Equipment customer loopback

   T1 1 is down
   timeslots: 1-24
   FDL per AT&T 54016 spec.
   Transmitter is sending LOF Indication.
   Receiver is getting AIS.
   Framing is ESF, Clock Source is Internal


7206-1.amherst#sh controllers t3 1/0
T3 1/0 is up.
   Applique type is Channelized T3/T1
   No alarms detected.
   Framing is M23, Line Code is B3ZS, Clock Source is Internal
   Equipment customer loopback
   Data in current interval (611 seconds elapsed):
      0 Line Code Violations, 0 P-bit Coding Violation
      0 C-bit Coding Violation, 0 P-bit Err Secs
      0 P-bit Severely Err Secs, 0 Severely Err Framing Secs
      0 Unavailable Secs, 0 Line Errored Secs
      0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
      0 Severely Errored Line Secs
      0 Far-End Errored Secs, 0 Far-End Severely Errored Secs
      0 CP-bit Far-end Unavailable Secs
      0 Near-end path failures, 0 Far-end path failures
      0 Far-end code violations, 0 FERF Defect Secs
      0 AIS Defect Secs, 0 LOS Defect Secs
   Data in Interval 1:
      0 Line Code Violations, 0 P-bit Coding Violation
      0 C-bit Coding Violation, 0 P-bit Err Secs
      0 P-bit Severely Err Secs, 0 Severely Err Framing Secs
      0 Unavailable Secs, 0 Line Errored Secs
      0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
      0 Severely Errored Line Secs
      0 Far-End Errored Secs, 0 Far-End Severely Errored Secs
      0 CP-bit Far-end Unavailable Secs
      0 Near-end path failures, 0 Far-end path failures
      0 Far-end code violations, 0 FERF Defect Secs
      0 AIS Defect Secs, 0 LOS Defect Secs
   Data in Interval 2:
      0 Line Code Violations, 0 P-bit Coding Violation
      0 C-bit Coding Violation, 0 P-bit Err Secs
      0 P-bit Severely Err Secs, 0 Severely Err Framing Secs
      0 Unavailable Secs, 0 Line Errored Secs
      0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
      0 Severely Errored Line Secs
      0 Far-End Errored Secs, 0 Far-End Severely Errored Secs
      0 CP-bit Far-end Unavailable Secs
      0 Near-end path failures, 0 Far-end path failures
      0 Far-end code violations, 0 FERF Defect Secs
      0 AIS Defect Secs, 0 LOS Defect Secs
   Data in Interval 3:
      0 Line Code Violations, 0 P-bit Coding Violation
      0 C-bit Coding Violation, 0 P-bit Err Secs
      0 P-bit Severely Err Secs, 0 Severely Err Framing Secs
      0 Unavailable Secs, 0 Line Errored Secs
      0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
      0 Severely Errored Line Secs
      0 Far-End Errored Secs, 0 Far-End Severely Errored Secs
      0 CP-bit Far-end Unavailable Secs
      0 Near-end path failures, 0 Far-end path failures
      0 Far-end code violations, 0 FERF Defect Secs
      0 AIS Defect Secs, 0 LOS Defect Secs
   Data in Interval 4:
      0 Line Code Violations, 0 P-bit Coding Violation
      0 C-bit Coding Violation, 0 P-bit Err Secs
      0 P-bit Severely Err Secs, 0 Severely Err Framing Secs
      0 Unavailable Secs, 0 Line Errored Secs
      0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
      0 Severely Errored Line Secs
      0 Far-End Errored Secs, 0 Far-End Severely Errored Secs
      0 CP-bit Far-end Unavailable Secs
      0 Near-end path failures, 0 Far-end path failures
      0 Far-end code violations, 0 FERF Defect Secs
      0 AIS Defect Secs, 0 LOS Defect Secs
   Data in Interval 5:
      0 Line Code Violations, 0 P-bit Coding Violation
      0 C-bit Coding Violation, 0 P-bit Err Secs
      0 P-bit Severely Err Secs, 0 Severely Err Framing Secs
      0 Unavailable Secs, 0 Line Errored Secs
      0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
      0 Severely Errored Line Secs
      0 Far-End Errored Secs, 0 Far-End Severely Errored Secs
      0 CP-bit Far-end Unavailable Secs
      0 Near-end path failures, 0 Far-end path failures
      0 Far-end code violations, 0 FERF Defect Secs
      0 AIS Defect Secs, 0 LOS Defect Secs
   Data in Interval 6:
      0 Line Code Violations, 0 P-bit Coding Violation
      0 C-bit Coding Violation, 0 P-bit Err Secs
      0 P-bit Severely Err Secs, 0 Severely Err Framing Secs
      0 Unavailable Secs, 0 Line Errored Secs
      0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
      0 Severely Errored Line Secs
      0 Far-End Errored Secs, 0 Far-End Severely Errored Secs
      0 CP-bit Far-end Unavailable Secs
      0 Near-end path failures, 0 Far-end path failures
      0 Far-end code violations, 0 FERF Defect Secs
      0 AIS Defect Secs, 0 LOS Defect Secs
   Data in Interval 7:
      0 Line Code Violations, 0 P-bit Coding Violation
      0 C-bit Coding Violation, 0 P-bit Err Secs
      0 P-bit Severely Err Secs, 0 Severely Err Framing Secs
      0 Unavailable Secs, 0 Line Errored Secs
      0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
      0 Severely Errored Line Secs
      0 Far-End Errored Secs, 0 Far-End Severely Errored Secs
      0 CP-bit Far-end Unavailable Secs
      0 Near-end path failures, 0 Far-end path failures
      0 Far-end code violations, 0 FERF Defect Secs
      0 AIS Defect Secs, 0 LOS Defect Secs
   Data in Interval 8:
      0 Line Code Violations, 0 P-bit Coding Violation
      0 C-bit Coding Violation, 0 P-bit Err Secs
      0 P-bit Severely Err Secs, 0 Severely Err Framing Secs
      1 Unavailable Secs, 0 Line Errored Secs
      0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
      0 Severely Errored Line Secs
      0 Far-End Errored Secs, 0 Far-End Severely Errored Secs
      0 CP-bit Far-end Unavailable Secs
      0 Near-end path failures, 1 Far-end path failures
      0 Far-end code violations, 10 FERF Defect Secs
      0 AIS Defect Secs, 0 LOS Defect Secs
   Total Data (last 8 15 minute intervals):
      0 Line Code Violations, 0 P-bit Coding Violation,
      0 C-bit Coding Violation, 0 P-bit Err Secs,
      0 P-bit Severely Err Secs, 0 Severely Err Framing Secs,
      1 Unavailable Secs, 0 Line Errored Secs,
      0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
      0 Severely Errored Line Secs
      0 Far-End Errored Secs, 0 Far-End Severely Errored Secs
      0 CP-bit Far-end Unavailable Secs
      0 Near-end path failures, 1 Far-end path failures
      0 Far-end code violations, 10 FERF Defect Secs
      0 AIS Defect Secs, 0 LOS Defect Secs

   T1 1 is down
   timeslots: 1-24
   FDL per AT&T 54016 spec.
   Transmitter is sending LOF Indication.
   Receiver is getting AIS.
   Framing is ESF, Clock Source is Internal
   BERT test result (done)
      Test Pattern : All 0's, Status : Not Sync, Sync Detected : 0
      Interval : 5 minute(s), Time Remain : 0 minute(s)
      Bit Errors (since BERT started): 0 bits,
      Bits Received (since BERT started): 3 Mbits
      Bit Errors (since last sync): 0 bits
      Bits Received (since last sync): 0 Kbits
   Data in current interval (509 seconds elapsed):
      0 Line Code Violations, 0 Path Code Violations
      0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
      0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
      509 Unavail Secs, 0 Stuffed Secs
      255 Near-end path failures, 0 Far-end path failures, 0 SEF/AIS Secs
   Data in Interval 1:
      0 Line Code Violations, 0 Path Code Violations
      0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
      0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
      900 Unavail Secs, 0 Stuffed Secs
      450 Near-end path failures, 0 Far-end path failures, 0 SEF/AIS Secs
   Data in Interval 2:
      0 Line Code Violations, 0 Path Code Violations
      0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
      0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
      900 Unavail Secs, 0 Stuffed Secs
      450 Near-end path failures, 0 Far-end path failures, 0 SEF/AIS Secs
   Data in Interval 3:
      0 Line Code Violations, 0 Path Code Violations
      0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
      0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
      717 Unavail Secs, 0 Stuffed Secs
      361 Near-end path failures, 1 Far-end path failures, 0 SEF/AIS Secs
   Data in Interval 4:
      0 Line Code Violations, 0 Path Code Violations
      0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
      0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
      900 Unavail Secs, 0 Stuffed Secs
      450 Near-end path failures, 0 Far-end path failures, 0 SEF/AIS Secs
   Data in Interval 5:
      0 Line Code Violations, 0 Path Code Violations
      0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
      0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
      900 Unavail Secs, 0 Stuffed Secs
      450 Near-end path failures, 0 Far-end path failures, 0 SEF/AIS Secs
   Data in Interval 6:
      0 Line Code Violations, 0 Path Code Violations
      0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
      0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
      900 Unavail Secs, 0 Stuffed Secs
      450 Near-end path failures, 0 Far-end path failures, 0 SEF/AIS Secs
   Data in Interval 7:
      0 Line Code Violations, 0 Path Code Violations
      0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
      0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
      847 Unavail Secs, 0 Stuffed Secs
      429 Near-end path failures, 2 Far-end path failures, 0 SEF/AIS Secs
   Data in Interval 8:
      0 Line Code Violations, 0 Path Code Violations
      0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
      0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
      900 Unavail Secs, 0 Stuffed Secs
      450 Near-end path failures, 0 Far-end path failures, 0 SEF/AIS Secs
   Total Data (last 8 15 minute intervals):
      0 Line Code Violations,0 Path Code Violations,
      0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,
      0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
      6964 Unavail Secs, 0 Stuffed Secs

On the 2811:

S1-2811#sh controllers t1 0/1/0 br
T1 0/1/0 is down.
   Applique type is Channelized T1
   Cablelength is short 133
   Transmitter is sending remote alarm.
   Receiver has loss of signal.
   alarm-trigger is not set
   Soaking time: 3, Clearance time: 10
   AIS State:Clear  LOS State:Clear  LOF State:Clear
   Version info Firmware: 20070320, FPGA: 20, spm_count = 0
   Framing is ESF, FDL is ansi & att, Line Code is B8ZS, Clock Source is 
Line.
   CRC Threshold is 320. Reported from firmware  is 320.
   Data in current interval (760 seconds elapsed):
      0 Line Code Violations, 0 Path Code Violations
      0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
      0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 760 
Unavail Secs
   Total Data (last 26 15 minute intervals):
      37460 Line Code Violations, 8785 Path Code Violations,
      2 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,
      2 Errored Secs, 0 Bursty Err Secs, 7 Severely Err Secs, 22169 
Unavail Secs


I can't find any way to set the line code on the 7206 for the individual 
T1s.  The virtual serial ints only have an IP on them at this point. 
Everything is unshut.  Any idea what I could be missing?  What's causing 
all the path and line code violations?

Thanks
  Justin

From ddunkin at netos.net  Tue Dec  9 16:46:06 2008
From: ddunkin at netos.net (Darryl Dunkin)
Date: Tue, 9 Dec 2008 13:46:06 -0800
Subject: [c-nsp] DS3 mux issues
References: <493EE315.2000103@justinshore.com>
Message-ID: <56F5BC5F404CF84896C447397A1AAF20B0F349@MAIL.nosi.netos.com>

The line code for individual T1s is handled on the MUX. Based on the
counters of line code violations, I'd check there first and see what it
is set to.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore
Sent: Tuesday, December 09, 2008 13:29
To: 'Cisco-nsp'
Subject: [c-nsp] DS3 mux issues

We're staging a DS3 mux to aggregate T1s back to a PA-MC-2T3-EC in a 
7206VXR (G2) running 12.4(15)T7.  I haven't channelized a T3 before so 
I'm feeling my way through this.  It looks to be relatively simple but 
I'm getting tripped up somewhere.  On the 7206:

controller T3 1/0
  cablelength 10
  logging-events detail
  t1 1 channel-group 0 timeslots 1-24
  t1 2 channel-group 0 timeslots 1-24
  t1 3 channel-group 0 timeslots 1-24
  t1 4 channel-group 0 timeslots 1-24
  t1 5 channel-group 0 timeslots 1-24
  t1 6 channel-group 0 timeslots 1-24
  t1 7 channel-group 0 timeslots 1-24
  t1 8 channel-group 0 timeslots 1-24
  t1 9 channel-group 0 timeslots 1-24
  t1 10 channel-group 0 timeslots 1-24
  t1 11 channel-group 0 timeslots 1-24
  t1 12 channel-group 0 timeslots 1-24
  t1 13 channel-group 0 timeslots 1-24
  t1 14 channel-group 0 timeslots 1-24
  t1 15 channel-group 0 timeslots 1-24
  t1 16 channel-group 0 timeslots 1-24
  t1 17 channel-group 0 timeslots 1-24
  t1 18 channel-group 0 timeslots 1-24
  t1 19 channel-group 0 timeslots 1-24
  t1 20 channel-group 0 timeslots 1-24
  t1 21 channel-group 0 timeslots 1-24
  t1 22 channel-group 0 timeslots 1-24
  t1 23 channel-group 0 timeslots 1-24
  t1 24 channel-group 0 timeslots 1-24
  t1 25 channel-group 0 timeslots 1-24
  t1 26 channel-group 0 timeslots 1-24
  t1 27 channel-group 0 timeslots 1-24
  t1 28 channel-group 0 timeslots 1-24

I've got a spare 2811 with a VWIC-2MFT-T1 on the other end configured 
like this:

controller T1 0/1/0
  framing esf
  linecode b8zs
  cablelength short 133
  channel-group 0 timeslots 1-24
!
controller T1 0/1/1
  framing esf
  linecode b8zs
  cablelength short 133
  channel-group 0 timeslots 1-24


Clock source is internal on the 7206 and line on the 2811.  Everything 
else assumed the default settings.

In the middle is a new Wide Bank 28 that was set up by one of our telco 
guys.  He said the necessary config is minimal.

My T3 is up but I'm down/down on the serial ints on both ends.  I can 
manually loop up the 2811 at the VWIC and the int comes up.  I can loop 
it up at the biscuit jack on the 2811's side of the mux and the 
appropriate T1 on the 7206 comes up.  To me that makes me think the mux 
is fine and that both ends are fine (at least from their perspective). 
So that makes me think that something isn't matching up on the 7206 and 
2811.

The linecode on the T3 is B3ZS of course and framing for the T1 is ESF. 
    The T1 on the 2811 is B8ZS and ESF.


On the 7206:

7206-1.amherst#sh controllers t3 1/0 br
T3 1/0 is up.
   Applique type is Channelized T3/T1
   No alarms detected.
   Framing is M23, Line Code is B3ZS, Clock Source is Internal
   Equipment customer loopback

   T1 1 is down
   timeslots: 1-24
   FDL per AT&T 54016 spec.
   Transmitter is sending LOF Indication.
   Receiver is getting AIS.
   Framing is ESF, Clock Source is Internal


7206-1.amherst#sh controllers t3 1/0
T3 1/0 is up.
   Applique type is Channelized T3/T1
   No alarms detected.
   Framing is M23, Line Code is B3ZS, Clock Source is Internal
   Equipment customer loopback
   Data in current interval (611 seconds elapsed):
      0 Line Code Violations, 0 P-bit Coding Violation
      0 C-bit Coding Violation, 0 P-bit Err Secs
      0 P-bit Severely Err Secs, 0 Severely Err Framing Secs
      0 Unavailable Secs, 0 Line Errored Secs
      0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
      0 Severely Errored Line Secs
      0 Far-End Errored Secs, 0 Far-End Severely Errored Secs
      0 CP-bit Far-end Unavailable Secs
      0 Near-end path failures, 0 Far-end path failures
      0 Far-end code violations, 0 FERF Defect Secs
      0 AIS Defect Secs, 0 LOS Defect Secs
   Data in Interval 1:
      0 Line Code Violations, 0 P-bit Coding Violation
      0 C-bit Coding Violation, 0 P-bit Err Secs
      0 P-bit Severely Err Secs, 0 Severely Err Framing Secs
      0 Unavailable Secs, 0 Line Errored Secs
      0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
      0 Severely Errored Line Secs
      0 Far-End Errored Secs, 0 Far-End Severely Errored Secs
      0 CP-bit Far-end Unavailable Secs
      0 Near-end path failures, 0 Far-end path failures
      0 Far-end code violations, 0 FERF Defect Secs
      0 AIS Defect Secs, 0 LOS Defect Secs
   Data in Interval 2:
      0 Line Code Violations, 0 P-bit Coding Violation
      0 C-bit Coding Violation, 0 P-bit Err Secs
      0 P-bit Severely Err Secs, 0 Severely Err Framing Secs
      0 Unavailable Secs, 0 Line Errored Secs
      0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
      0 Severely Errored Line Secs
      0 Far-End Errored Secs, 0 Far-End Severely Errored Secs
      0 CP-bit Far-end Unavailable Secs
      0 Near-end path failures, 0 Far-end path failures
      0 Far-end code violations, 0 FERF Defect Secs
      0 AIS Defect Secs, 0 LOS Defect Secs
   Data in Interval 3:
      0 Line Code Violations, 0 P-bit Coding Violation
      0 C-bit Coding Violation, 0 P-bit Err Secs
      0 P-bit Severely Err Secs, 0 Severely Err Framing Secs
      0 Unavailable Secs, 0 Line Errored Secs
      0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
      0 Severely Errored Line Secs
      0 Far-End Errored Secs, 0 Far-End Severely Errored Secs
      0 CP-bit Far-end Unavailable Secs
      0 Near-end path failures, 0 Far-end path failures
      0 Far-end code violations, 0 FERF Defect Secs
      0 AIS Defect Secs, 0 LOS Defect Secs
   Data in Interval 4:
      0 Line Code Violations, 0 P-bit Coding Violation
      0 C-bit Coding Violation, 0 P-bit Err Secs
      0 P-bit Severely Err Secs, 0 Severely Err Framing Secs
      0 Unavailable Secs, 0 Line Errored Secs
      0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
      0 Severely Errored Line Secs
      0 Far-End Errored Secs, 0 Far-End Severely Errored Secs
      0 CP-bit Far-end Unavailable Secs
      0 Near-end path failures, 0 Far-end path failures
      0 Far-end code violations, 0 FERF Defect Secs
      0 AIS Defect Secs, 0 LOS Defect Secs
   Data in Interval 5:
      0 Line Code Violations, 0 P-bit Coding Violation
      0 C-bit Coding Violation, 0 P-bit Err Secs
      0 P-bit Severely Err Secs, 0 Severely Err Framing Secs
      0 Unavailable Secs, 0 Line Errored Secs
      0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
      0 Severely Errored Line Secs
      0 Far-End Errored Secs, 0 Far-End Severely Errored Secs
      0 CP-bit Far-end Unavailable Secs
      0 Near-end path failures, 0 Far-end path failures
      0 Far-end code violations, 0 FERF Defect Secs
      0 AIS Defect Secs, 0 LOS Defect Secs
   Data in Interval 6:
      0 Line Code Violations, 0 P-bit Coding Violation
      0 C-bit Coding Violation, 0 P-bit Err Secs
      0 P-bit Severely Err Secs, 0 Severely Err Framing Secs
      0 Unavailable Secs, 0 Line Errored Secs
      0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
      0 Severely Errored Line Secs
      0 Far-End Errored Secs, 0 Far-End Severely Errored Secs
      0 CP-bit Far-end Unavailable Secs
      0 Near-end path failures, 0 Far-end path failures
      0 Far-end code violations, 0 FERF Defect Secs
      0 AIS Defect Secs, 0 LOS Defect Secs
   Data in Interval 7:
      0 Line Code Violations, 0 P-bit Coding Violation
      0 C-bit Coding Violation, 0 P-bit Err Secs
      0 P-bit Severely Err Secs, 0 Severely Err Framing Secs
      0 Unavailable Secs, 0 Line Errored Secs
      0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
      0 Severely Errored Line Secs
      0 Far-End Errored Secs, 0 Far-End Severely Errored Secs
      0 CP-bit Far-end Unavailable Secs
      0 Near-end path failures, 0 Far-end path failures
      0 Far-end code violations, 0 FERF Defect Secs
      0 AIS Defect Secs, 0 LOS Defect Secs
   Data in Interval 8:
      0 Line Code Violations, 0 P-bit Coding Violation
      0 C-bit Coding Violation, 0 P-bit Err Secs
      0 P-bit Severely Err Secs, 0 Severely Err Framing Secs
      1 Unavailable Secs, 0 Line Errored Secs
      0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
      0 Severely Errored Line Secs
      0 Far-End Errored Secs, 0 Far-End Severely Errored Secs
      0 CP-bit Far-end Unavailable Secs
      0 Near-end path failures, 1 Far-end path failures
      0 Far-end code violations, 10 FERF Defect Secs
      0 AIS Defect Secs, 0 LOS Defect Secs
   Total Data (last 8 15 minute intervals):
      0 Line Code Violations, 0 P-bit Coding Violation,
      0 C-bit Coding Violation, 0 P-bit Err Secs,
      0 P-bit Severely Err Secs, 0 Severely Err Framing Secs,
      1 Unavailable Secs, 0 Line Errored Secs,
      0 C-bit Errored Secs, 0 C-bit Severely Errored Secs
      0 Severely Errored Line Secs
      0 Far-End Errored Secs, 0 Far-End Severely Errored Secs
      0 CP-bit Far-end Unavailable Secs
      0 Near-end path failures, 1 Far-end path failures
      0 Far-end code violations, 10 FERF Defect Secs
      0 AIS Defect Secs, 0 LOS Defect Secs

   T1 1 is down
   timeslots: 1-24
   FDL per AT&T 54016 spec.
   Transmitter is sending LOF Indication.
   Receiver is getting AIS.
   Framing is ESF, Clock Source is Internal
   BERT test result (done)
      Test Pattern : All 0's, Status : Not Sync, Sync Detected : 0
      Interval : 5 minute(s), Time Remain : 0 minute(s)
      Bit Errors (since BERT started): 0 bits,
      Bits Received (since BERT started): 3 Mbits
      Bit Errors (since last sync): 0 bits
      Bits Received (since last sync): 0 Kbits
   Data in current interval (509 seconds elapsed):
      0 Line Code Violations, 0 Path Code Violations
      0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
      0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
      509 Unavail Secs, 0 Stuffed Secs
      255 Near-end path failures, 0 Far-end path failures, 0 SEF/AIS
Secs
   Data in Interval 1:
      0 Line Code Violations, 0 Path Code Violations
      0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
      0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
      900 Unavail Secs, 0 Stuffed Secs
      450 Near-end path failures, 0 Far-end path failures, 0 SEF/AIS
Secs
   Data in Interval 2:
      0 Line Code Violations, 0 Path Code Violations
      0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
      0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
      900 Unavail Secs, 0 Stuffed Secs
      450 Near-end path failures, 0 Far-end path failures, 0 SEF/AIS
Secs
   Data in Interval 3:
      0 Line Code Violations, 0 Path Code Violations
      0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
      0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
      717 Unavail Secs, 0 Stuffed Secs
      361 Near-end path failures, 1 Far-end path failures, 0 SEF/AIS
Secs
   Data in Interval 4:
      0 Line Code Violations, 0 Path Code Violations
      0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
      0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
      900 Unavail Secs, 0 Stuffed Secs
      450 Near-end path failures, 0 Far-end path failures, 0 SEF/AIS
Secs
   Data in Interval 5:
      0 Line Code Violations, 0 Path Code Violations
      0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
      0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
      900 Unavail Secs, 0 Stuffed Secs
      450 Near-end path failures, 0 Far-end path failures, 0 SEF/AIS
Secs
   Data in Interval 6:
      0 Line Code Violations, 0 Path Code Violations
      0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
      0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
      900 Unavail Secs, 0 Stuffed Secs
      450 Near-end path failures, 0 Far-end path failures, 0 SEF/AIS
Secs
   Data in Interval 7:
      0 Line Code Violations, 0 Path Code Violations
      0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
      0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
      847 Unavail Secs, 0 Stuffed Secs
      429 Near-end path failures, 2 Far-end path failures, 0 SEF/AIS
Secs
   Data in Interval 8:
      0 Line Code Violations, 0 Path Code Violations
      0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
      0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
      900 Unavail Secs, 0 Stuffed Secs
      450 Near-end path failures, 0 Far-end path failures, 0 SEF/AIS
Secs
   Total Data (last 8 15 minute intervals):
      0 Line Code Violations,0 Path Code Violations,
      0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,
      0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs
      6964 Unavail Secs, 0 Stuffed Secs

On the 2811:

S1-2811#sh controllers t1 0/1/0 br
T1 0/1/0 is down.
   Applique type is Channelized T1
   Cablelength is short 133
   Transmitter is sending remote alarm.
   Receiver has loss of signal.
   alarm-trigger is not set
   Soaking time: 3, Clearance time: 10
   AIS State:Clear  LOS State:Clear  LOF State:Clear
   Version info Firmware: 20070320, FPGA: 20, spm_count = 0
   Framing is ESF, FDL is ansi & att, Line Code is B8ZS, Clock Source is

Line.
   CRC Threshold is 320. Reported from firmware  is 320.
   Data in current interval (760 seconds elapsed):
      0 Line Code Violations, 0 Path Code Violations
      0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
      0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 760 
Unavail Secs
   Total Data (last 26 15 minute intervals):
      37460 Line Code Violations, 8785 Path Code Violations,
      2 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins,
      2 Errored Secs, 0 Bursty Err Secs, 7 Severely Err Secs, 22169 
Unavail Secs


I can't find any way to set the line code on the 7206 for the individual

T1s.  The virtual serial ints only have an IP on them at this point. 
Everything is unshut.  Any idea what I could be missing?  What's causing

all the path and line code violations?

Thanks
  Justin
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From streiner at cluebyfour.org  Tue Dec  9 17:11:47 2008
From: streiner at cluebyfour.org (Justin M. Streiner)
Date: Tue, 9 Dec 2008 17:11:47 -0500 (EST)
Subject: [c-nsp] DS3 mux issues
In-Reply-To: <493EE315.2000103@justinshore.com>
References: <493EE315.2000103@justinshore.com>
Message-ID: <Pine.LNX.4.64.0812091654100.24296@whammy.cluebyfour.org>

On Tue, 9 Dec 2008, Justin Shore wrote:

> In the middle is a new Wide Bank 28 that was set up by one of our telco guys. 
> He said the necessary config is minimal.
>
> My T3 is up but I'm down/down on the serial ints on both ends.  I can 
> manually loop up the 2811 at the VWIC and the int comes up.  I can loop it up 
> at the biscuit jack on the 2811's side of the mux and the appropriate T1 on 
> the 7206 comes up.  To me that makes me think the mux is fine and that both 
> ends are fine (at least from their perspective). So that makes me think that 
> something isn't matching up on the 7206 and 2811.

Can you loop one of the T1s on the 7206 and see the loop on the 2811?

It's been awhile, but I think this would be done using

controller t3 x/x
  t1 x channel-group 0 timeslots 1-24 loopback ?

There should be a number of different options under this to set the 
direction (facing you or facing the line) and depth (pass through the T1 
framer, etc) for the loop.

I think you may need to have a peek at the config on the mux if possible. 
It looks like your frames aren't passing through, which is probably why 
your T1s are showing LOF/AIS.  When you put a hard loop on the physical T1 
end, facing back to the 7206, do the LOF/AIS indicators go out on that 
port?  From what I can see, the router configs look OK.

Also make sure the mux isn't trying to inject its own clocking into the 
T1s.  It problably isn't, but it's a good idea to check.

jms


From bstiff at cisco.com  Tue Dec  9 17:34:59 2008
From: bstiff at cisco.com (Brian Stiff (bstiff))
Date: Tue, 9 Dec 2008 14:34:59 -0800
Subject: [c-nsp] IOS IPS updates
In-Reply-To: <mailman.5.1228842001.57064.cisco-nsp@puck.nether.net>
References: <mailman.5.1228842001.57064.cisco-nsp@puck.nether.net>
Message-ID: <DFFA342C89421A4AABB019093ACEA24605ACFD17@xmb-sjc-22c.amer.cisco.com>

Hi Mike, comments in-line at B>

Regards,
Brian

From: "Michael Simpson" <mikie.simpson at gmail.com>
Subject: [c-nsp] IOS IPS updates 

Hi there,

Does anyone know why the ios ips updates at
<http://www.cisco.com/cgi-bin/tablebuild.pl/ios-v5sigup> are no longer
being updated and haven't been since October?

B>  The latest sig file updates have been deferred to accommodate some
changes in the process for translating the sensor signatures to IOS IPS.
Sorry for the delays, but you can very likely expect to see recent sig
updates made available for IPS in the next several days.   

I usually roll out updates by cli onto the 877s at our branches. Do i
now have to use CCP for this because i would rather not as i would
rather not use java or X on my openbsd boxen.

B>  CLI support for configuring IOS IPS v5 signature support is
documented here:
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ips_v5.html.  



Brian Stiff
Product Marketing Engineer
IOS & Router Security Mktg
http://www.cisco.com/go/iossecurity



From lesmith at ecsis.net  Tue Dec  9 17:58:29 2008
From: lesmith at ecsis.net (Larry Smith)
Date: Tue, 9 Dec 2008 16:58:29 -0600
Subject: [c-nsp] DS3 mux issues
In-Reply-To: <493EE315.2000103@justinshore.com>
References: <493EE315.2000103@justinshore.com>
Message-ID: <200812091658.29211.lesmith@ecsis.net>

On Tue December 9 2008 15:28, Justin Shore wrote:
> We're staging a DS3 mux to aggregate T1s back to a PA-MC-2T3-EC in a
> 7206VXR (G2) running 12.4(15)T7.  I haven't channelized a T3 before so
> I'm feeling my way through this.  It looks to be relatively simple but
> I'm getting tripped up somewhere.  On the 7206:
>
> controller T3 1/0
>   cablelength 10
>   logging-events detail
>   t1 1 channel-group 0 timeslots 1-24
>   t1 2 channel-group 0 timeslots 1-24
>   t1 3 channel-group 0 timeslots 1-24
>   t1 4 channel-group 0 timeslots 1-24
>   t1 5 channel-group 0 timeslots 1-24
>   t1 6 channel-group 0 timeslots 1-24
>   t1 7 channel-group 0 timeslots 1-24
>   t1 8 channel-group 0 timeslots 1-24
>   t1 9 channel-group 0 timeslots 1-24
>   t1 10 channel-group 0 timeslots 1-24
>   t1 11 channel-group 0 timeslots 1-24
>   t1 12 channel-group 0 timeslots 1-24
>   t1 13 channel-group 0 timeslots 1-24
>   t1 14 channel-group 0 timeslots 1-24
>   t1 15 channel-group 0 timeslots 1-24
>   t1 16 channel-group 0 timeslots 1-24
>   t1 17 channel-group 0 timeslots 1-24
>   t1 18 channel-group 0 timeslots 1-24
>   t1 19 channel-group 0 timeslots 1-24
>   t1 20 channel-group 0 timeslots 1-24
>   t1 21 channel-group 0 timeslots 1-24
>   t1 22 channel-group 0 timeslots 1-24
>   t1 23 channel-group 0 timeslots 1-24
>   t1 24 channel-group 0 timeslots 1-24
>   t1 25 channel-group 0 timeslots 1-24
>   t1 26 channel-group 0 timeslots 1-24
>   t1 27 channel-group 0 timeslots 1-24
>   t1 28 channel-group 0 timeslots 1-24
>
<cut>

Here is an excerpt of one I have up and running: (much cut for obvious 
reasons)

controller T3 5/0
 framing m23
 clock source line
 cablelength 10
 t1 1 channel-group 0 timeslots 1-24
 t1 2 channel-group 1 timeslots 1-24
 t1 3 channel-group 2 timeslots 1-12
 t1 4 channel-group 3 timeslots 1-24
 t1 5 channel-group 4 timeslots 1-12
 t1 6 channel-group 5 timeslots 1-24
 t1 7 channel-group 6 timeslots 1-24
 t1 8 channel-group 7 timeslots 1-12
 t1 9 channel-group 8 timeslots 1-12
 t1 10 channel-group 9 timeslots 1-12
.....
 t1 1 clock source Line
 t1 2 clock source Line
 t1 3 clock source Line
 t1 4 clock source Line
 t1 6 clock source Line
 t1 7 clock source Line
 t1 8 clock source Line
 t1 9 clock source Line
 t1 10 clock source Line

...cut other bits.....


!
interface Serial5/0/1:0
 description XXXXXXXXXXXXXXXX
 bandwidth 1544
 ip address 1.2.3.4 0.0.0.0 (bogus)
 encapsulation ppp
 down-when-looped
 fair-queue
!
interface Serial5/0/2:1
 description YYYYYYYYYYYYYYYYYYY
 bandwidth 1544
 ip address 2.3.4.5 0.0.0.0 (bogus)
 encapsulation ppp
 down-when-looped
 fair-queue
!

On your virtual, what does it show:

sh int s5/0/2:1
Serial5/0/2:1 is up, line protocol is up
  Hardware is PA-MC-T3
  Description: YYYYYYYYYYYYYYYYYYYYYYY
  Internet address is 2.3.4.5/30
  MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
     reliability 255/255, txload 169/255, rxload 3/255
  Encapsulation PPP, LCP Open
  Open: IPCP, crc 16, loopback not set
  Last input 1d03h, output 00:00:00, output hang never
  Last clearing of "show interface" counters 00:00:02
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 2/1000/64/0 (size/max total/threshold/drops)
     Conversations  1/231/256 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 1158 kilobits/sec
  5 minute input rate 20000 bits/sec, 56 packets/sec
  5 minute output rate 1025000 bits/sec, 91 packets/sec
     133 packets input, 5876 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     260 packets output, 391040 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions no alarm present
  Timeslot(s) Used: 1-24, subrate: 1536Kb/s, transmit delay is 0 flags
  non-inverted data

-- 
Larry Smith
SysAd ECSIS.NET
sysad at ecsis.net

-- 
Larry Smith
lesmith at ecsis.net

From lsawyer at gci.com  Tue Dec  9 18:17:04 2008
From: lsawyer at gci.com (Leif Sawyer)
Date: Tue, 9 Dec 2008 14:17:04 -0900
Subject: [c-nsp] IPv6  SNMP MIB support...
In-Reply-To: <200812091658.29211.lesmith@ecsis.net>
Message-ID: <38D04BF3A4B7B2499D19EB1DB54285EA092BC1DB@FNB1EX01.gci.com>

All --


 I'm trying to write a small applet that will query my network cloud and
derive
name->address  mappings for IPv6, so that my /etc/hosts table can be
automagically updated
with   "ipv6_addr  devicename_i/f"  entries.

I can't seem to find any information on IPv6-MIB support for any cisco
IOS - the MIB browser
tool simply says "no support in any IOS"  for me.

Has anybody been able to pull from the IPv6 mibs, whether official
(.1.3.6.1.2.1.55...)  or
is there a CiscoExperimental  tree  that I need to pull from?


Thanks.

From billf at mu.org  Wed Dec 10 00:22:42 2008
From: billf at mu.org (bill fumerola)
Date: Tue, 9 Dec 2008 21:22:42 -0800
Subject: [c-nsp] IOS IPv6 CEF adjacencies on 12xxx
In-Reply-To: <FFBEC1DE79841C4C965378BBDA5913FC4CDE85@EXVS01.claranet.local>
References: <FFBEC1DE79841C4C965378BBDA5913FC4CDE85@EXVS01.claranet.local>
Message-ID: <20081210052242.GM97614@elvis.mu.org>

N.B. it's been a half-decade since i've touched a cisco 12k.

On Tue, Dec 09, 2008 at 06:15:49PM -0000, David Freedman wrote:
> ra#sh ipv6 int tun0
> Tunnel0 is up, line protocol is up
>   IPv6 is enabled, link-local address is FE80::C316:9EE 
> rb#sh ipv6 int tun0
> Tunnel0 is up, line protocol is up
>   IPv6 is enabled, link-local address is FE80::C316:9ED 
> 
> Also, from the perspective of CEF, all seems to be ok on the surface:
> 
> ra#sh ipv6 cef tun0                     
> 2001:DB8:B::/48
>      nexthop FE80::C316:9ED Tunnel0 
               ^^^^^^^^^^^^^^
> 2001:DB8:1::/126
>      attached to Tunnel0 
> 
> rb#sh ipv6 cef tun0                     
> 2001:DB8:A::/48
>      nexthop FE80::C316:9ED Tunnel0 
               ^^^^^^^^^^^^^^
     should be FE80::C316:9EE if this was a paste-o, ignore this mail
> 2001:DB8:1::/126
>      attached to Tunnel0 

> ra#sh ipv6 cef exact-route 2001:db8:a::1 2001:db8:b::1
>  2001:DB8:A::1     -> 2001:DB8:B::1 interface Tunnel0
> 
> rb#sh ipv6 cef exact-route 2001:db8:b::1 2001:db8:a::1
>  2001:DB8:B::1     -> 2001:DB8:A::1 interface Tunnel0
> 
> **BUT**
> 
> if you dig deeper, you find that this isn't the case at all:
> 
> ra#execute-on slot <LANCARD> sh ipv6 cef exact-route 2001:db8:a::1 2001:db8:b::1
>  2001:DB8:A::1     -> 2001:DB8:B::1 interface Tunnel0
>  Adjacency is incomplete so not cef switched
> 
> ra#execute-on slot <WANCARD> sh ipv6 cef exact-route 2001:db8:a::1 2001:db8:b::1
>  2001:DB8:A::1     -> 2001:DB8:B::1 interface Tunnel0
>  Adjacency is incomplete so not cef switched
> 
> but this message does not appear on rb

guess:
since rb doesn't point to FE80::C316:9EE there's no adjacency to be
incomplete.

does 'sh ipv6 cef unresolved' show anything?

i'm hitting the limits of my knowledge.

> So, it looks like the lack of adjacency is the cause, 
> before I go open a TAC case (and get told to clear dCEF tables/
> reboot linecards) , is there anything non-invasive I could try to debug/resolve this?

how are RA,RB getting routes for 2001:DB8:A::1 and 2001:DB8:B::1?
if dynamically, try static. if static, try a routing protocol. just to
mix things up. :)

a pair of cisco 7301s, albeit running GRE and not ip6ip (sorry)

rtr1.n>show ipv6 int tun1003 | i link
  IPv6 is enabled, link-local address is FE80::217:FFF:FE1C:BC1B
rtr1.n>show ipv6 cef tun1003
AAAA:0:BBF:1::1/128
  nexthop FE80::217:FFF:FE07:2C1B Tunnel1003
[... other learned networks with the same output ...]
rtr1.n>show ipv6 int lo0 | i subnet
    AAAA:0:BBC:1::1, subnet is AAAA:0:BBC:1::1/128
rtr1.n>show ipv6 cef exact-route AAAA:0:BBC:1::1 AAAA:0:BBF:1::1
AAAA:0:BBC:1::1 -> AAAA:0:BBF:1::1 => IPV6 adj out of Tunnel1003
rtr1.n>

rtr1.p>show ipv6 int tun1003 | i link
  IPv6 is enabled, link-local address is FE80::217:FFF:FE07:2C1B
rtr1.p>show ipv6 cef tun1003
AAAA:0:BBC:1::1/128
  nexthop FE80::217:FFF:FE1C:BC1B Tunnel1003
[... other learned networks with the same output ...]
rtr1.p>show ipv6 int lo0 | i subnet
    AAAA:0:BBF:1::1, subnet is AAAA:0:BBF:1::1/128
rtr1.p>
rtr1.p>show ipv6 cef exact-route AAAA:0:BBF:1::1 AAAA:0:BBC:1::1
AAAA:0:BBF:1::1 -> AAAA:0:BBC:1::1 => IPV6 adj out of Tunnel1003
rtr1.p>

unless your output from above is a paste-o, it looks like the link-local
addresses aren't being resolved properly between RA and RB at your end.
in my scenario, the output of 'sh ipv6 cef' corresponds to the link-local
address of the tunnel at the far side.

however, i both don't have "attached to TunnelX" and the resolution
through that in my cef tables because i use unnumbered ipv6 interfaces
and run ospf3 across them. 

 ipv6 address autoconfig
 ipv6 unnumbered Loopback0

maybe instead of the /126 you could try using unnumbered loopbackX.

-- bill

p.s. 12.2(31)SB11, if it matters

From mtinka at globaltransit.net  Wed Dec 10 02:17:40 2008
From: mtinka at globaltransit.net (Mark Tinka)
Date: Wed, 10 Dec 2008 15:17:40 +0800
Subject: [c-nsp] URL redirection
In-Reply-To: <67F7C1FAF83A074AA3520D8F155782A5024C38E3@xmb-ams-331.emea.cisco.com>
References: <cca140000812082034s4a7f5fb5s86a8e3d38a72c221@mail.gmail.com>
	<67F7C1FAF83A074AA3520D8F155782A5024C38E3@xmb-ams-331.emea.cisco.com>
Message-ID: <200812101517.41486.mtinka@globaltransit.net>

On Tuesday 09 December 2008 14:58:48 Arie Vayner (avayner) 
wrote:

> Google most likely uses some kind of IP geo-lookup, and
> they use your source IP to decide to which page you would
> be redirected.

This stuff gets quite annoying when it doesn't work the way 
it should.

We have a case open for almost a month now with Google and 
Yahoo, to get some of our address space updated with the 
Geo-location service providers - it keeps saying we're in 
some country we're not, when clearly we're not.

It's a shame that updating this information takes so long.

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081210/3ef9f422/attachment.bin>

From roddy.strachan at staff.netspace.net.au  Wed Dec 10 03:39:28 2008
From: roddy.strachan at staff.netspace.net.au (Roddy Strachan)
Date: Wed, 10 Dec 2008 19:39:28 +1100
Subject: [c-nsp] Utilization of a line card (7606)
Message-ID: <56F211C5E3F24F47B103EA1B253822BE03BB6D53@vic-cr-ex1.staff.netspace.net.au>

Hey guys,

 

Hoping someone can help.

 

Is there any command to check the utilisation of a specific card within
a 7606?

 

Or lets be more specific, I suspect a line card in the router is
overloaded and causing the CPU to spike, is there any way to find out
how much utilisation that card is using to check to see if we are over
subscribing it or not ?

 

The card model in question is a WS-X6148A-GE-TX which I believe has no
dedicated packet processor like a SIP-400/SPA so therefore it punts
everything to the CPU.

 

 

Thanks

 


This email and any files transmitted with it are confidential and intended
 solely for the use of the individual or entity to whom they are addressed. 
Please notify the sender immediately by email if you have received this 
email by mistake and delete this email from your system. Please note that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation. 
Finally, the recipient should check this email and any attachments for 
the presence of viruses. The organisation accepts no liability for any 
damage caused by any virus transmitted by this email.


From erik at infopact.nl  Wed Dec 10 03:46:10 2008
From: erik at infopact.nl (E. Versaevel)
Date: Wed, 10 Dec 2008 09:46:10 +0100
Subject: [c-nsp] Utilization of a line card (7606)
In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE03BB6D53@vic-cr-ex1.staff.netspace.net.au>
References: <56F211C5E3F24F47B103EA1B253822BE03BB6D53@vic-cr-ex1.staff.netspace.net.au>
Message-ID: <493F81D2.4040400@infopact.nl>

Hi Roddy,

router#remote command module 1 show proc cpu sort

CPU utilization for five seconds: 4%/0%; one minute: 4%; five minutes: 4%
 PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
 121   163451056 328079970        498  4.39%  4.32%  4.33%   0 fw_lcp process
   2         824    750462          1  0.00%  0.00%  0.00%   0 Load Meter

(although this is a WS-X6724-SFP)

Kind regards,

Erik Versaevel


ps, any idea what the fw_lcp process is?



Roddy Strachan schreef:
> Hey guys,
> 
>  
> 
> Hoping someone can help.
> 
>  
> 
> Is there any command to check the utilisation of a specific card within
> a 7606?
> 
>  
> 
> Or lets be more specific, I suspect a line card in the router is
> overloaded and causing the CPU to spike, is there any way to find out
> how much utilisation that card is using to check to see if we are over
> subscribing it or not ?
> 
>  
> 
> The card model in question is a WS-X6148A-GE-TX which I believe has no
> dedicated packet processor like a SIP-400/SPA so therefore it punts
> everything to the CPU.
> 
>  
> 
>  
> 
> Thanks
> 
>  
> 
> 
> This email and any files transmitted with it are confidential and intended
>  solely for the use of the individual or entity to whom they are addressed. 
> Please notify the sender immediately by email if you have received this 
> email by mistake and delete this email from your system. Please note that
>  any views or opinions presented in this email are solely those of the
>  author and do not necessarily represent those of the organisation. 
> Finally, the recipient should check this email and any attachments for 
> the presence of viruses. The organisation accepts no liability for any 
> damage caused by any virus transmitted by this email.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



Erik Versaevel

From dgranzer at gmail.com  Wed Dec 10 04:36:44 2008
From: dgranzer at gmail.com (David Granzer)
Date: Wed, 10 Dec 2008 10:36:44 +0100
Subject: [c-nsp] SXH4 Applying VLAN changes may take few minutes
Message-ID: <844ef89c0812100136u7ea68934w8e8003b2a021232b@mail.gmail.com>

Hello,

did anybody see output below with SXH4 ? Why applying vlan can take a
few minutes ?

6503-lab-1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
6503-lab-1(config)#vlan 123
6503-lab-1(config-vlan)#end
% Applying VLAN changes may take few minutes.  Please wait..

In lab enviroment with a few vlans configured applying vlan takes less
than one second (like before with SXH and SXF).

Thanks,
David

From gert at greenie.muc.de  Wed Dec 10 04:46:14 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 10 Dec 2008 10:46:14 +0100
Subject: [c-nsp] SXH4 Applying VLAN changes may take few minutes
In-Reply-To: <844ef89c0812100136u7ea68934w8e8003b2a021232b@mail.gmail.com>
References: <844ef89c0812100136u7ea68934w8e8003b2a021232b@mail.gmail.com>
Message-ID: <20081210094614.GF8535@greenie.muc.de>

Hi,

On Wed, Dec 10, 2008 at 10:36:44AM +0100, David Granzer wrote:
> did anybody see output below with SXH4 ? Why applying vlan can take a
> few minutes ?
> 
> 6503-lab-1#conf t
> Enter configuration commands, one per line.  End with CNTL/Z.
> 6503-lab-1(config)#vlan 123
> 6503-lab-1(config-vlan)#end
> % Applying VLAN changes may take few minutes.  Please wait..

Same message here, with SXH3a and SXI.  But it never took any sort of
"noticeable" time.

I'd guess that this might be different in a VTP environment with "lots of"
devices.  We don't use VTP (anmore), though, so I wouldn't know.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081210/37640518/attachment.bin>

From roddy.strachan at staff.netspace.net.au  Wed Dec 10 05:38:20 2008
From: roddy.strachan at staff.netspace.net.au (Roddy Strachan)
Date: Wed, 10 Dec 2008 21:38:20 +1100
Subject: [c-nsp] Utilization of a line card (7606)
References: <56F211C5E3F24F47B103EA1B253822BE03BB6D53@vic-cr-ex1.staff.netspace.net.au>
	<493F81D2.4040400@infopact.nl>
Message-ID: <56F211C5E3F24F47B103EA1B253822BE03BB6D55@vic-cr-ex1.staff.netspace.net.au>

Thanks

Doesn't seem to work though

#remote command module 2 sh proc cpu
Cannot remote to module 2


Do i need to enable something in the config?


-----Original Message-----
From: E. Versaevel [mailto:erik at infopact.nl] 
Sent: Wednesday, 10 December 2008 7:46 PM
To: Roddy Strachan
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Utilization of a line card (7606)

Hi Roddy,

router#remote command module 1 show proc cpu sort

CPU utilization for five seconds: 4%/0%; one minute: 4%; five minutes:
4%
 PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
 121   163451056 328079970        498  4.39%  4.32%  4.33%   0 fw_lcp
process
   2         824    750462          1  0.00%  0.00%  0.00%   0 Load
Meter

(although this is a WS-X6724-SFP)

Kind regards,

Erik Versaevel


ps, any idea what the fw_lcp process is?



Roddy Strachan schreef:
> Hey guys,
> 
>  
> 
> Hoping someone can help.
> 
>  
> 
> Is there any command to check the utilisation of a specific card
within
> a 7606?
> 
>  
> 
> Or lets be more specific, I suspect a line card in the router is
> overloaded and causing the CPU to spike, is there any way to find out
> how much utilisation that card is using to check to see if we are over
> subscribing it or not ?
> 
>  
> 
> The card model in question is a WS-X6148A-GE-TX which I believe has no
> dedicated packet processor like a SIP-400/SPA so therefore it punts
> everything to the CPU.
> 
>  
> 
>  
> 
> Thanks
> 
>  
> 
> 
> This email and any files transmitted with it are confidential and
intended
>  solely for the use of the individual or entity to whom they are
addressed. 
> Please notify the sender immediately by email if you have received
this 
> email by mistake and delete this email from your system. Please note
that
>  any views or opinions presented in this email are solely those of the
>  author and do not necessarily represent those of the organisation. 
> Finally, the recipient should check this email and any attachments for

> the presence of viruses. The organisation accepts no liability for any

> damage caused by any virus transmitted by this email.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



Erik Versaevel

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

No virus found in this incoming message.
Checked by AVG - http://www.avg.com 
Version: 8.0.176 / Virus Database: 270.9.16/1840 - Release Date:
9/12/2008 4:53 PM

From david.freedman at uk.clara.net  Wed Dec 10 05:47:01 2008
From: david.freedman at uk.clara.net (David Freedman)
Date: Wed, 10 Dec 2008 10:47:01 -0000
Subject: [c-nsp] IOS IPv6 CEF adjacencies on 12xxx
References: <FFBEC1DE79841C4C965378BBDA5913FC4CDE85@EXVS01.claranet.local>
	<20081210052242.GM97614@elvis.mu.org>
Message-ID: <FFBEC1DE79841C4C965378BBDA5913FC4CDE8B@EXVS01.claranet.local>


>     should be FE80::C316:9EE if this was a paste-o, ignore this mail

Yes, sorry, I was typing this afresh and not pasting :)

>guess:
>since rb doesn't point to FE80::C316:9EE there's no adjacency to be
>incomplete.
>does 'sh ipv6 cef unresolved' show anything?

Nope, no unresolved entries

>i'm hitting the limits of my knowledge.

> So, it looks like the lack of adjacency is the cause, 
> before I go open a TAC case (and get told to clear dCEF tables/
> reboot linecards) , is there anything non-invasive I could try to debug/resolve this?

>how are RA,RB getting routes for 2001:DB8:A::1 and 2001:DB8:B::1?
>if dynamically, try static. if static, try a routing protocol. just to
>mix things up. :)

Dynamically, via eBGP


>a pair of cisco 7301s, albeit running GRE and not ip6ip (sorry

Yes thanks, mine looks like this, except when you ask the linecards, which makes
me think this is something specific to the platform.

Dave.


From moshemizrachi at gmail.com  Wed Dec 10 06:53:30 2008
From: moshemizrachi at gmail.com (moshe mizrachi)
Date: Wed, 10 Dec 2008 13:53:30 +0200
Subject: [c-nsp] 12.2(33)SRC2 running 7600
Message-ID: <d9ae95f60812100353p5596d425h965a0a8cb0fe1e7c@mail.gmail.com>

Hi all ,

does someone have any notes of open bugs on 7600 RSP720-3CXL-GE  runs
12.2(33)SRC2 ,
as well as what is going to be solved on 12.2(33)SRC3 ,  the bug toolkit  is
empty .....

regards moshe

From A.L.M.Buxey at lboro.ac.uk  Wed Dec 10 07:36:06 2008
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Wed, 10 Dec 2008 12:36:06 +0000
Subject: [c-nsp] SXH4 Applying VLAN changes may take few minutes
In-Reply-To: <844ef89c0812100136u7ea68934w8e8003b2a021232b@mail.gmail.com>
References: <844ef89c0812100136u7ea68934w8e8003b2a021232b@mail.gmail.com>
Message-ID: <20081210123606.GB14253@lboro.ac.uk>

hi,

maybe just covering themselves? The worst I've seen was a 
few seconds - thats with just over 120 VLANs on a VTP domain
with 3 masters....

alan

From achatz at forthnet.gr  Wed Dec 10 08:10:35 2008
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Wed, 10 Dec 2008 15:10:35 +0200
Subject: [c-nsp] Utilization of a line card (7606)
In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE03BB6D55@vic-cr-ex1.staff.netspace.net.au>
References: <56F211C5E3F24F47B103EA1B253822BE03BB6D53@vic-cr-ex1.staff.netspace.net.au>	<493F81D2.4040400@infopact.nl>
	<56F211C5E3F24F47B103EA1B253822BE03BB6D55@vic-cr-ex1.staff.netspace.net.au>
Message-ID: <493FBFCB.1010500@forthnet.gr>

I think you need DFC-enabled cards in order to use remote commands in them.

Also, in later IOS you can use "sh platform hard cap" to check a lot of stuff.
Besides that, "sh queueing interface" might give you some clues too.

--
Tassos

Roddy Strachan wrote on 10/12/2008 12:38:
> Thanks
> 
> Doesn't seem to work though
> 
> #remote command module 2 sh proc cpu
> Cannot remote to module 2
> 
> 
> Do i need to enable something in the config?
> 
> 
> -----Original Message-----
> From: E. Versaevel [mailto:erik at infopact.nl] 
> Sent: Wednesday, 10 December 2008 7:46 PM
> To: Roddy Strachan
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Utilization of a line card (7606)
> 
> Hi Roddy,
> 
> router#remote command module 1 show proc cpu sort
> 
> CPU utilization for five seconds: 4%/0%; one minute: 4%; five minutes:
> 4%
>  PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
>  121   163451056 328079970        498  4.39%  4.32%  4.33%   0 fw_lcp
> process
>    2         824    750462          1  0.00%  0.00%  0.00%   0 Load
> Meter
> 
> (although this is a WS-X6724-SFP)
> 
> Kind regards,
> 
> Erik Versaevel
> 
> 
> ps, any idea what the fw_lcp process is?
> 
> 
> 
> Roddy Strachan schreef:
>> Hey guys,
>>
>>  
>>
>> Hoping someone can help.
>>
>>  
>>
>> Is there any command to check the utilisation of a specific card
> within
>> a 7606?
>>
>>  
>>
>> Or lets be more specific, I suspect a line card in the router is
>> overloaded and causing the CPU to spike, is there any way to find out
>> how much utilisation that card is using to check to see if we are over
>> subscribing it or not ?
>>
>>  
>>
>> The card model in question is a WS-X6148A-GE-TX which I believe has no
>> dedicated packet processor like a SIP-400/SPA so therefore it punts
>> everything to the CPU.
>>
>>  
>>
>>  
>>
>> Thanks
>>
>>  
>>
>>
>> This email and any files transmitted with it are confidential and
> intended
>>  solely for the use of the individual or entity to whom they are
> addressed. 
>> Please notify the sender immediately by email if you have received
> this 
>> email by mistake and delete this email from your system. Please note
> that
>>  any views or opinions presented in this email are solely those of the
>>  author and do not necessarily represent those of the organisation. 
>> Finally, the recipient should check this email and any attachments for
> 
>> the presence of viruses. The organisation accepts no liability for any
> 
>> damage caused by any virus transmitted by this email.
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 
> Erik Versaevel
> 
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> ______________________________________________________________________
> 
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com 
> Version: 8.0.176 / Virus Database: 270.9.16/1840 - Release Date:
> 9/12/2008 4:53 PM
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From justin at justinshore.com  Wed Dec 10 09:34:23 2008
From: justin at justinshore.com (Justin Shore)
Date: Wed, 10 Dec 2008 08:34:23 -0600
Subject: [c-nsp] DS3 mux issues
In-Reply-To: <56F5BC5F404CF84896C447397A1AAF20B0F349@MAIL.nosi.netos.com>
References: <493EE315.2000103@justinshore.com>
	<56F5BC5F404CF84896C447397A1AAF20B0F349@MAIL.nosi.netos.com>
Message-ID: <493FD36F.9080007@justinshore.com>

Darryl Dunkin wrote:
> The line code for individual T1s is handled on the MUX. Based on the
> counters of line code violations, I'd check there first and see what it
> is set to.

Thanks to all the replies.  Here what the mux is configured for currently:

- DS3
     ds3    circuitid "DS3"
     ds3        clock int
     ds3  clockrevert on
     ds3    equipment off
     ds3      framing m23
     ds3       length short
     ds3         line off
     ds3   loopdetect off
     ds3      payload off
     ds3         send off
     ds3    threshold off
     Performance Thresholds:         15 min.      1 hour       1 day
                                    --------    --------    --------
     coding violations - line:           387        1161        3865
     errored seconds - line:              25          75         250
     coding viols-path p-bit:            382        1146        3820
     err seconds - path p-bit:            25          75         250
     loss of signal secs - line:           4          12          40
     sev err seconds - line:               4          12          40
     sev err sec - path cp-bit:            4          12          40

-  1
     ds1 1   circuitid "DS1 1"
     ds1 1      enable
     ds1 1   equipment off
     ds1 1      length dsx0
     ds1 1        line off
     ds1 1    linecode b8zs
     ds1 1  loopdetect off
     ds1 1    metallic off
     ds1 1        send off
     Performance Thresholds:         15 min.      1 hour       1 day
                                    --------    --------    --------
     coding violations - line:         13340       40020      133400
     errored seconds - line:              65         195         648

-  2
     ds1 2   circuitid "DS1 2"
     ds1 2      enable
     ds1 2   equipment off
     ds1 2      length dsx0
     ds1 2        line off
     ds1 2    linecode b8zs
     ds1 2  loopdetect off
     ds1 2    metallic off
     ds1 2        send off
     Performance Thresholds:         15 min.      1 hour       1 day
                                    --------    --------    --------
     coding violations - line:         13340       40020      133400
     errored seconds - line:              65         195         648


So it looks like my DS1 linecode is ok.  The length of "dsx0" 
corresponds to 0-110'.  Would clocking keep the DS1 from coming up?  I'm 
currently trying to generate the clock on the 7206 since we don't have 
another external clock source in that CO.  Eventually we'll have several 
M13s (though probably not another Wide Bank brand... what a clunky 
EOF...).  Should I generate the clock on the M13 or the router?

Thanks
  Justin

From justin at justinshore.com  Wed Dec 10 09:43:31 2008
From: justin at justinshore.com (Justin Shore)
Date: Wed, 10 Dec 2008 08:43:31 -0600
Subject: [c-nsp] DS3 mux issues
In-Reply-To: <Pine.LNX.4.64.0812091654100.24296@whammy.cluebyfour.org>
References: <493EE315.2000103@justinshore.com>
	<Pine.LNX.4.64.0812091654100.24296@whammy.cluebyfour.org>
Message-ID: <493FD593.6040604@justinshore.com>

Justin M. Streiner wrote:
> Can you loop one of the T1s on the 7206 and see the loop on the 2811?

It looks like it's 't1 1 loopback network line' on this 7200's IOS.  I 
looped it up and the 2811 sees it as down still.  So that would point 
the problem back at the mux, wouldn't it?

On the Wide Bank I can do a metallic loopback on the DS1 facing the 2811 
and it pops up.

> I think you may need to have a peek at the config on the mux if 
> possible. It looks like your frames aren't passing through, which is 
> probably why your T1s are showing LOF/AIS.  When you put a hard loop on 
> the physical T1 end, facing back to the 7206, do the LOF/AIS indicators 
> go out on that port?  From what I can see, the router configs look OK.

I finally got the M13 on the network.  That mux is like something from 
an old scifi movie from the 80s, even though it's brand new.  Here's the 
config through the first 2 DS1s.  There isn't much meat to it.

(A:Active) > config
- CONTROLLER
     ds1      protect on
     ds3      protect off
     autocopy        on
     revertive ds3    on
     revertive ds1    off
     arm             on
     ffo      present on
     security        off
     screen 24
     ip    address 10.160.0.50
     ip       mask 255.255.255.224
     ip    gateway 10.160.0.33
     ip       nms1
     ip       nms2
     ip       nms3
     ip        ppp 192.168.255.241
     ip      route ethernet
     snmp name      "Name"
     snmp location  "Location"
     snmp contact   "Contact"
     snmp getcomm   "public"
     snmp setcomm   "public"
     snmp trapcomm  "public"
- DS3
     ds3    circuitid "DS3"
     ds3        clock line
     ds3  clockrevert on
     ds3  equipmentid "DS3 Equip."
     ds3    equipment off
     ds3   facilityid "DS3 Path"
     ds3      frameid "Frame"
     ds3      framing cbit
     ds3    gennumber "DS3 Test Generator"
     ds3       length short
     ds3         line off
     ds3   locationid "DS3 Loc."
     ds3   loopdetect off
     ds3      payload off
     ds3   portnumber "DS3 Idle Port"
     ds3         send off
     ds3    threshold off
     ds3         unit "000000"
     Performance Thresholds:         15 min.      1 hour       1 day
                                    --------    --------    --------
     coding violations - line:           387        1161        3865
     errored seconds - line:              25          75         250
     coding viols-path p-bit:            382        1146        3820
     err seconds - path p-bit:            25          75         250
     loss of signal secs - line:           4          12          40
     sev err seconds - line:               4          12          40
     sev err sec - path cp-bit:            4          12          40
-  1
     ds1 1   circuitid "DS1 1"
     ds1 1      enable
     ds1 1   equipment off
     ds1 1      length dsx0
     ds1 1        line off
     ds1 1    linecode b8zs
     ds1 1  loopdetect off
     ds1 1    metallic off
     ds1 1        send off
     Performance Thresholds:         15 min.      1 hour       1 day
                                    --------    --------    --------
     coding violations - line:         13340       40020      133400
     errored seconds - line:              65         195         648
-  2
     ds1 2   circuitid "DS1 2"
     ds1 2      enable
     ds1 2   equipment off
     ds1 2      length dsx0
     ds1 2        line off
     ds1 2    linecode b8zs
     ds1 2  loopdetect off
     ds1 2    metallic off
     ds1 2        send off
     Performance Thresholds:         15 min.      1 hour       1 day
                                    --------    --------    --------
     coding violations - line:         13340       40020      133400
     errored seconds - line:              65         195         648


> Also make sure the mux isn't trying to inject its own clocking into the 
> T1s.  It problably isn't, but it's a good idea to check.

The mux was using it's own internal clock until this morning.  I set it 
to line on the DS3 side.  I imagine, well I hope, that it would pass 
clocking through to the 2811 when configured like this too but I can't 
say for certain.

Someone suggested checking the wiring, that perhaps send/receive were 
flipped.  That's certainly a possibility.  That would explain why either 
end would come up when I physically loop up the circuit.  Let me double 
check it.

Thanks
  Justin

From cchurc05 at harris.com  Wed Dec 10 09:50:43 2008
From: cchurc05 at harris.com (Church, Charles)
Date: Wed, 10 Dec 2008 08:50:43 -0600
Subject: [c-nsp] SXH4 Applying VLAN changes may take few minutes
In-Reply-To: <844ef89c0812100136u7ea68934w8e8003b2a021232b@mail.gmail.com>
References: <844ef89c0812100136u7ea68934w8e8003b2a021232b@mail.gmail.com>
Message-ID: <FA1BA229357DB640B944218F3585FECA01B6DD6C@mspe2k1.cs.myharris.net>

Which VTP version?  V3 has more 'checks' in it, might explain it.  I've
never seen that with V1/V2. 

Chuck

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Granzer
Sent: Wednesday, December 10, 2008 4:37 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] SXH4 Applying VLAN changes may take few minutes


Hello,

did anybody see output below with SXH4 ? Why applying vlan can take a
few minutes ?

6503-lab-1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
6503-lab-1(config)#vlan 123
6503-lab-1(config-vlan)#end
% Applying VLAN changes may take few minutes.  Please wait..

In lab enviroment with a few vlans configured applying vlan takes less
than one second (like before with SXH and SXF).

Thanks,
David
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From dgranzer at gmail.com  Wed Dec 10 10:02:23 2008
From: dgranzer at gmail.com (David Granzer)
Date: Wed, 10 Dec 2008 16:02:23 +0100
Subject: [c-nsp] SXH4 Applying VLAN changes may take few minutes
In-Reply-To: <FA1BA229357DB640B944218F3585FECA01B6DD6C@mspe2k1.cs.myharris.net>
References: <844ef89c0812100136u7ea68934w8e8003b2a021232b@mail.gmail.com>
	<FA1BA229357DB640B944218F3585FECA01B6DD6C@mspe2k1.cs.myharris.net>
Message-ID: <844ef89c0812100702p7ea087bcj3c2a34801f529411@mail.gmail.com>

6503-lab-1#sh vtp status | i Version|VTP Ope
VTP Version                     : 2
VTP Operating Mode              : Transparen

David

On Wed, Dec 10, 2008 at 3:50 PM, Church, Charles <cchurc05 at harris.com> wrote:
> Which VTP version?  V3 has more 'checks' in it, might explain it.  I've
> never seen that with V1/V2.
>
> Chuck
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Granzer
> Sent: Wednesday, December 10, 2008 4:37 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] SXH4 Applying VLAN changes may take few minutes
>
>
> Hello,
>
> did anybody see output below with SXH4 ? Why applying vlan can take a
> few minutes ?
>
> 6503-lab-1#conf t
> Enter configuration commands, one per line.  End with CNTL/Z.
> 6503-lab-1(config)#vlan 123
> 6503-lab-1(config-vlan)#end
> % Applying VLAN changes may take few minutes.  Please wait..
>
> In lab enviroment with a few vlans configured applying vlan takes less
> than one second (like before with SXH and SXF).
>
> Thanks,
> David
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From p.mayers at imperial.ac.uk  Wed Dec 10 10:10:31 2008
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Wed, 10 Dec 2008 15:10:31 +0000
Subject: [c-nsp] SXH4 Applying VLAN changes may take few minutes
In-Reply-To: <844ef89c0812100702p7ea087bcj3c2a34801f529411@mail.gmail.com>
References: <844ef89c0812100136u7ea68934w8e8003b2a021232b@mail.gmail.com>	<FA1BA229357DB640B944218F3585FECA01B6DD6C@mspe2k1.cs.myharris.net>
	<844ef89c0812100702p7ea087bcj3c2a34801f529411@mail.gmail.com>
Message-ID: <493FDBE7.7030803@imperial.ac.uk>

David Granzer wrote:
> 6503-lab-1#sh vtp status | i Version|VTP Ope
> VTP Version                     : 2
> VTP Operating Mode              : Transparen

I'm pretty sure the error is cosmetic, and can be ignored. Chuck is 
probably half-right - I bet it's appeared because SXH/SXI have support 
for VTP3 (even if you're not using it)

From justin at justinshore.com  Wed Dec 10 10:16:34 2008
From: justin at justinshore.com (Justin Shore)
Date: Wed, 10 Dec 2008 09:16:34 -0600
Subject: [c-nsp] DS3 mux issues
In-Reply-To: <200812091658.29211.lesmith@ecsis.net>
References: <493EE315.2000103@justinshore.com>
	<200812091658.29211.lesmith@ecsis.net>
Message-ID: <493FDD52.404@justinshore.com>

Larry Smith wrote:
>>   t1 26 channel-group 0 timeslots 1-24
>>   t1 27 channel-group 0 timeslots 1-24
>>   t1 28 channel-group 0 timeslots 1-24
>>
> controller T3 5/0
>  framing m23
>  clock source line
>  cablelength 10
>  t1 1 channel-group 0 timeslots 1-24
>  t1 2 channel-group 1 timeslots 1-24
>  t1 3 channel-group 2 timeslots 1-12

Morning, Larry.  Do you know if the channel-group # is significant to 
each DS1 or does the channel-group # have to be unique across the DS3? 
I'm thinking that it's unique to the DS1 so that you can create X number 
of channel-groups on a DS1 if needed but I'm not 100% on that.

>  t1 1 clock source Line

Do you think I should generate clocking on our router or on the mux?  We 
don't have an external clock source in that CO.  I expect to have up to 
a dozen different M13s connected to this 7206 as time goes by.  Would it 
be a problem if the 7206 received clocking on each DS3 from each of the 
muxes or would that screw things up internally?  At this point I don't 
expect to get handed a T1 w/ clocking from the RBOC.  All the CPEs will 
be line of course.

> On your virtual, what does it show:

7206:
Serial1/0/1:0 is down, line protocol is down
   Hardware is PA-MC-2T3-EC
   Internet address is 1.1.1.1/24
   MTU 1500 bytes, BW 1536 Kbit/sec, DLY 20000 usec,
      reliability 253/255, txload 1/255, rxload 1/255
   Encapsulation HDLC, crc 16, loopback not set
   Keepalive set (10 sec)
   Last input 18:15:59, output never, output hang never
   Last clearing of "show interface" counters 00:00:07
   Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
   Queueing strategy: weighted fair
   Output queue: 0/1000/64/0 (size/max total/threshold/drops)
      Conversations  0/1/16 (active/max active/max total)
      Reserved Conversations 0/0 (allocated/max allocated)
      Available Bandwidth 1152 kilobits/sec
   5 minute input rate 0 bits/sec, 0 packets/sec
   5 minute output rate 0 bits/sec, 0 packets/sec
      0 packets input, 0 bytes, 0 no buffer
      Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 packets output, 0 bytes, 0 underruns
      0 output errors, 0 collisions, 1 interface resets
      0 output buffer failures, 0 output buffers swapped out
      0 carrier transitions alarm present
   VC:0 Timeslot(s): 1-24, Transmitter delay 0, non-inverted data

2811:
Serial0/1/1:0 is down, line protocol is down
   Hardware is GT96K Serial
   MTU 1500 bytes, BW 1536 Kbit, DLY 20000 usec,
      reliability 252/255, txload 1/255, rxload 1/255
   Encapsulation HDLC, loopback not set
   Keepalive set (10 sec)
   CRC checking enabled
   Last input 18:33:23, output 18:33:13, output hang never
   Last clearing of "show interface" counters 19:36:46
   Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
   Queueing strategy: weighted fair
   Output queue: 0/1000/64/0 (size/max total/threshold/drops)
      Conversations  0/1/256 (active/max active/max total)
      Reserved Conversations 0/0 (allocated/max allocated)
      Available Bandwidth 1152 kilobits/sec
   5 minute input rate 0 bits/sec, 0 packets/sec
   5 minute output rate 0 bits/sec, 0 packets/sec
      39 packets input, 3582 bytes, 0 no buffer
      Received 39 broadcasts, 0 runts, 1 giants, 0 throttles
      16 input errors, 16 CRC, 14 frame, 6 overrun, 0 ignored, 8 abort
      40 packets output, 3606 bytes, 0 underruns
      0 output errors, 0 collisions, 1 interface resets
      0 output buffer failures, 0 output buffers swapped out
      2 carrier transitions
   Timeslot(s) Used:1-24, SCC: 1, Transmitter delay is 0 flags


Both are configured only with an IP and are unshut.

Thanks
  Justin

From david at davidcoulson.net  Wed Dec 10 10:25:15 2008
From: david at davidcoulson.net (David Coulson)
Date: Wed, 10 Dec 2008 10:25:15 -0500
Subject: [c-nsp] DS3 mux issues
In-Reply-To: <493FDD52.404@justinshore.com>
References: <493EE315.2000103@justinshore.com>	<200812091658.29211.lesmith@ecsis.net>
	<493FDD52.404@justinshore.com>
Message-ID: <493FDF5B.10706@davidcoulson.net>



Justin Shore wrote:
> Morning, Larry.  Do you know if the channel-group # is significant to 
> each DS1 or does the channel-group # have to be unique across the DS3? 
> I'm thinking that it's unique to the DS1 so that you can create X 
> number of channel-groups on a DS1 if needed but I'm not 100% on that.
Channel-groups are defined on a per-T1 basis. You can create them all 
'channel-group 0', which is what most people do. If you want frac-T1s, 
you can do channel-group 0, channel-group 1, within one T1, then go back 
to channel-group 0 with the next T1.
> Do you think I should generate clocking on our router or on the mux?  
> We don't have an external clock source in that CO.  I expect to have 
> up to a dozen different M13s connected to this 7206 as time goes by.  
> Would it be a problem if the 7206 received clocking on each DS3 from 
> each of the muxes or would that screw things up internally?  At this 
> point I don't expect to get handed a T1 w/ clocking from the RBOC.  
> All the CPEs will be line of course.
Once you have 12 cT3s on a 7206, you'll probably have different issues, 
but all ports can independently clock from different sources, or 
generate clocking for you. I can't imagine it makes much difference if 
the router or mux does it, although since you have someone else managing 
the mux, making it do as little as possible may be a good thing :)
>
> 7206:
> Serial1/0/1:0 is down, line protocol is down
What does the mux show as the status of this channel (the individual 
DS-1, or 'port').

From zonaalpha at gmail.com  Wed Dec 10 10:42:05 2008
From: zonaalpha at gmail.com (fran Caste)
Date: Wed, 10 Dec 2008 16:42:05 +0100
Subject: [c-nsp] show diag
Message-ID: <52c6d9270812100742q5eea485eifdfed2a06d8e43d5@mail.gmail.com>

Slot 0:
        C2651XM 2FE Mainboard Port adapter, 3 ports
        Port adapter is analyzed
        Port adapter insertion time unknown
        EEPROM contents at hardware discovery:
        Hardware Revision        : 4.1
        PCB Serial Number        : FOC103306SJ
        Version Identifier       :
        Product (FRU) Number     :
        Chassis Serial Number    : FTX1036A3FT
        Part Number              : 73-7756-06
        RMA History              : 00
        RMA Number               : 0-0-0-0
        Board Revision           : C0
        Deviation Number         : 0-0
        EEPROM format version 4
        EEPROM contents (hex):
          0x00: 04 FF 40 03 6F 41 04 01 C1 0B 46 4F 43 31 30 33
          0x10: 33 30 36 53 4A 89 FF FF FF FF CB 12 FF FF FF FF
          0x20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF C2 0B
          0x30: 46 54 58 31 30 33 36 41 33 46 54 82 49 1E 4C 06
          0x40: 04 00 81 00 00 00 00 42 43 30 80 00 00 00 00 FF
          0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
          0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
          0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

        WIC Slot 0:
        E1 (2 port) Multi-Flex Trunk (Drop&Insert) WAN daughter card
        Hardware revision 1.0           Board revision B0
        Serial number     35162362      Part number    800-04615-04
        FRU Part Number     VWIC-2MFT-E1-DI=
        Test history      0x0           RMA number     00-00-00
        Connector type    PCI
        EEPROM format version 1
        EEPROM contents (hex):
          0x20: 01 25 01 00 02 18 88 FA 50 12 07 04 00 00 00 00
          0x30: 58 00 00 00 06 08 17 00 FF FF FF FF FF FF FF FF

From justin at justinshore.com  Wed Dec 10 11:40:09 2008
From: justin at justinshore.com (Justin Shore)
Date: Wed, 10 Dec 2008 10:40:09 -0600
Subject: [c-nsp] DS3 mux issues
In-Reply-To: <493FDF5B.10706@davidcoulson.net>
References: <493EE315.2000103@justinshore.com>	<200812091658.29211.lesmith@ecsis.net>
	<493FDD52.404@justinshore.com> <493FDF5B.10706@davidcoulson.net>
Message-ID: <493FF0E9.1020503@justinshore.com>

David Coulson wrote:

> Channel-groups are defined on a per-T1 basis. You can create them all 
> 'channel-group 0', which is what most people do. If you want frac-T1s, 
> you can do channel-group 0, channel-group 1, within one T1, then go back 
> to channel-group 0 with the next T1.

Ok, that's what I was thinking.  I don't know if we'll need to do any 
fractional T1s at this point.  The majority of our offering will be LRE 
and we'll be using bonded T1s where we can offer LRE yet so I'd expect 
multiple bonded T1s per customer and no fractional T1s.

> Once you have 12 cT3s on a 7206, you'll probably have different issues, 
> but all ports can independently clock from different sources, or 
> generate clocking for you. I can't imagine it makes much difference if 
> the router or mux does it, although since you have someone else managing 
> the mux, making it do as little as possible may be a good thing :)

If we start to strain the 7206 I imagine it will be replaced with an ASR 
or we'll pick up another 7206.  If the product offering is well-received 
and we move into newer, more dense areas we may start with a 7600 right 
out of the gate.  Not now though.

We will be managing this mux in the end.  One of our telco's CO techs 
set it up for us since they also use Wide Banks.  I predict that this 
will be the last Wide Bank we buy.  This thing is fugly.  I imagine 
we'll get an Adtran or something else a little more modern next time.

> What does the mux show as the status of this channel (the individual 
> DS-1, or 'port').

-  1
     ds1 1   circuitid "DS1 1"
     ds1 1      enable
     ds1 1   equipment off
     ds1 1      length dsx0
     ds1 1        line off
     ds1 1    linecode b8zs
     ds1 1  loopdetect off
     ds1 1    metallic off
     ds1 1        send off
     Performance Thresholds:         15 min.      1 hour       1 day
                                    --------    --------    --------
     coding violations - line:         13340       40020      133400
     errored seconds - line:              65         195         648


I've got the CO tech coming back to help me troubleshoot it this 
afternoon.  With his TBird we should be able to see what's going on. 
Any other thoughts?  I'm not sure how I test the DS1 from the 7206 
through to the mux.

Thanks
  Justin

From petelists at templin.org  Wed Dec 10 12:03:29 2008
From: petelists at templin.org (Pete Templin)
Date: Wed, 10 Dec 2008 11:03:29 -0600
Subject: [c-nsp] DS3 mux issues
In-Reply-To: <493FF0E9.1020503@justinshore.com>
References: <493EE315.2000103@justinshore.com>	<200812091658.29211.lesmith@ecsis.net>	<493FDD52.404@justinshore.com>
	<493FDF5B.10706@davidcoulson.net>
	<493FF0E9.1020503@justinshore.com>
Message-ID: <493FF661.5030101@templin.org>

Justin Shore wrote:

> Ok, that's what I was thinking.  I don't know if we'll need to do any 
> fractional T1s at this point.  The majority of our offering will be LRE 
> and we'll be using bonded T1s where we can offer LRE yet so I'd expect 
> multiple bonded T1s per customer and no fractional T1s.
> 
> If we start to strain the 7206 I imagine it will be replaced with an ASR 
> or we'll pick up another 7206.  If the product offering is well-received 
> and we move into newer, more dense areas we may start with a 7600 right 
> out of the gate.  Not now though.

I have one 7206 (non-VXR, NPE-225) handling ~15 fractional T1s and ~18 
full T1s.  There are three MLPPP bundles within those ~18 full T1s.  CPU 
is generally 20-30%.  I have another 7206/NPE-225 handling ~7 fractional 
T1s and ~22 full T1s.  CPU is generally 15%, so I think MLPPP is a 
performance hog.  Our future growth will be 7206VXR/NPE-G1, and we're 
going to keep an eye on CPU so we know if/when we need to switch to the 
PA-MC-2T3-EC (which supposedly offloads the MLPPP functions to the PA).

Our growth plan isn't firm (but it doesn't need to be).  It's likely 
going to be ChOC12/T1-ISE in our 12000s, since we have one in any 
relevant market for DS3 and OCx ("high-speed WAN distribution router"). 
  The ASR1004 is also on the radar.  ASR1002 has horrible density if 
you're going to do card-diverse uplinks (there goes 2/3 of the SPA 
slots).  ASR1006, assuming 2xGE and 10x4xChT3, ends up with more than a 
GE of traffic across the T1s (likely never an issue, but...).

I'd be leery of using an Ethernet switch (7600) for high-density T1 
aggregation, but that's just me.

pt



From ross at kallisti.us  Wed Dec 10 12:04:08 2008
From: ross at kallisti.us (Ross Vandegrift)
Date: Wed, 10 Dec 2008 12:04:08 -0500
Subject: [c-nsp] SXH4 Applying VLAN changes may take few minutes
In-Reply-To: <493FDBE7.7030803@imperial.ac.uk>
References: <844ef89c0812100136u7ea68934w8e8003b2a021232b@mail.gmail.com>
	<FA1BA229357DB640B944218F3585FECA01B6DD6C@mspe2k1.cs.myharris.net>
	<844ef89c0812100702p7ea087bcj3c2a34801f529411@mail.gmail.com>
	<493FDBE7.7030803@imperial.ac.uk>
Message-ID: <20081210170408.GC8974@kallisti.us>

On Wed, Dec 10, 2008 at 03:10:31PM +0000, Phil Mayers wrote:
> David Granzer wrote:
> >6503-lab-1#sh vtp status | i Version|VTP Ope
> >VTP Version                     : 2
> >VTP Operating Mode              : Transparen
> 
> I'm pretty sure the error is cosmetic, and can be ignored. Chuck is 
> probably half-right - I bet it's appeared because SXH/SXI have support 
> for VTP3 (even if you're not using it)


As the number of VLANs grows past two thousand on a pair of 6500s
we have, VLAN database operations do tend to take longer.  Not
minutes, but often 15-30 seconds.  This is on SXF.

It's probably just informational to explain that nothing is wrong.
The first time I ever saw it take a while, I was pretty nervous.  It'd
have been nice to have a little note that things were just fine!

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie

From justin at justinshore.com  Wed Dec 10 12:16:04 2008
From: justin at justinshore.com (Justin Shore)
Date: Wed, 10 Dec 2008 11:16:04 -0600
Subject: [c-nsp] DS3 mux issues - SOLVED
In-Reply-To: <493EE315.2000103@justinshore.com>
References: <493EE315.2000103@justinshore.com>
Message-ID: <493FF954.5000101@justinshore.com>

Justin Shore wrote:
> We're staging a DS3 mux to aggregate T1s back to a PA-MC-2T3-EC in a 
> 7206VXR (G2) running 12.4(15)T7.  I haven't channelized a T3 before so 
> I'm feeling my way through this.  It looks to be relatively simple but 
> I'm getting tripped up somewhere.  On the 7206:

We just solved the problem.  After soldering the tech's TBird back 
together he hooked it up and quickly figured out that the T & R pairs 
were flipped.  He took care of that and the T1s popped up right away.  I 
believe it was Jonathan Herbert who first suggested that as a possible 
culprit so many thanks to him.  That would explain why the circuit would 
come up with physically looped because it wouldn't matter if T & R were 
flipped at that point.  But of course when the routers themselves would 
never make the connection on their own.

So at this point I'm generating clocking on the DS3 from the 7206; the 
7206's DS1 are set to get clocking internally; the mux is set to get 
clocking off the DS3 from the 7206; and finally the CPEs are always set 
to line for clocking.  I'm currently running with M23 on the DS3.  It 
was suggested that I switch to cbit for better diagnostics in the event 
of DS3 failure.  I'll test that this afternoon.

Many thanks for all the help.  In the end we were tripped up by a simple 
L1 problem.  Thanks again

Justin

From dsinn at dsinn.com  Wed Dec 10 12:26:23 2008
From: dsinn at dsinn.com (David Sinn)
Date: Wed, 10 Dec 2008 09:26:23 -0800
Subject: [c-nsp] SXH4 Applying VLAN changes may take few minutes
In-Reply-To: <20081210094614.GF8535@greenie.muc.de>
References: <844ef89c0812100136u7ea68934w8e8003b2a021232b@mail.gmail.com>
	<20081210094614.GF8535@greenie.muc.de>
Message-ID: <849C881A-4500-4E8F-8D33-8C86AB7C93FD@dsinn.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey,

On Dec 10, 2008, at 1:46 AM, Gert Doering wrote:

> Hi,
>
> On Wed, Dec 10, 2008 at 10:36:44AM +0100, David Granzer wrote:
>> did anybody see output below with SXH4 ? Why applying vlan can take a
>> few minutes ?
>>
>> 6503-lab-1#conf t
>> Enter configuration commands, one per line.  End with CNTL/Z.
>> 6503-lab-1(config)#vlan 123
>> 6503-lab-1(config-vlan)#end
>> % Applying VLAN changes may take few minutes.  Please wait..
>
> Same message here, with SXH3a and SXI.  But it never took any sort of
> "noticeable" time.

This is likely related to the intro of VSS, which does take forever to  
sync the VLAN DB and was intro'ed in SXH.

David

> I'd guess that this might be different in a VTP environment with  
> "lots of"
> devices.  We don't use VTP (anmore), though, so I wouldn't know.
>
> gert
> -- 
> USENET is *not* the non-clickable part of WWW!
>                                                           //www.muc.de/~gert/
> Gert Doering - Munich, Germany                             gert at greenie.muc.de
> fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkk/+78ACgkQLa9jIE3ZamMdXwCgugwKeZLgw9wJ3vcwyJSMyodi
dsQAn37UVrQDlLbIipBNfIqRxtpUwzr8
=8NnN
-----END PGP SIGNATURE-----

From spinthiras.mario at gmail.com  Wed Dec 10 12:48:46 2008
From: spinthiras.mario at gmail.com (Mario Spinthiras)
Date: Wed, 10 Dec 2008 19:48:46 +0200
Subject: [c-nsp] automated network monitorgin
Message-ID: <4f890e580812100948r1cf07d05q497379bb692ba76a@mail.gmail.com>

Dear all,

 I posted an email to this list a while back regarding network
monitoring. I came up with a theory which I would like to share with
the world which might be something interested though I dont know due
to the diversity of network design today. My question are essentially
the following , When you hear the words "automated network monitoring"
and "multi layer topology mapping" , how do you percieve these , and
how are they (if they are) implemented on a network near you? My
theory on multi correlated data processing from network nodes is
available at http://www.spinthiras.net/2008/12/10/network-monitoring-logic/
and it basically refers to the logic behind monitoring systems in
being implemented to make monitoring systems do human-understanable
reasoning in a network problem of view. Your feedback is more than
welcome.

Regards,
Mario A. Spinthiras
http://www.spinthiras.net/

From jay at west.net  Wed Dec 10 13:05:01 2008
From: jay at west.net (Jay Hennigan)
Date: Wed, 10 Dec 2008 10:05:01 -0800
Subject: [c-nsp] DS3 mux issues
In-Reply-To: <493FDD52.404@justinshore.com>
References: <493EE315.2000103@justinshore.com>	<200812091658.29211.lesmith@ecsis.net>
	<493FDD52.404@justinshore.com>
Message-ID: <494004CD.1090001@west.net>

Justin Shore wrote:
> Larry Smith wrote:
>>>   t1 26 channel-group 0 timeslots 1-24
>>>   t1 27 channel-group 0 timeslots 1-24
>>>   t1 28 channel-group 0 timeslots 1-24
>>>
>> controller T3 5/0
>>  framing m23
>>  clock source line
>>  cablelength 10
>>  t1 1 channel-group 0 timeslots 1-24
>>  t1 2 channel-group 1 timeslots 1-24
>>  t1 3 channel-group 2 timeslots 1-12
> 
> Morning, Larry.  Do you know if the channel-group # is significant to 
> each DS1 or does the channel-group # have to be unique across the DS3? 
> I'm thinking that it's unique to the DS1 so that you can create X number 
> of channel-groups on a DS1 if needed but I'm not 100% on that.

It is per T-1, so you can make them all channel-group 0 if you want. 
Makes finding the sub-interfaces easier.


>>  t1 1 clock source Line
> 
> Do you think I should generate clocking on our router or on the mux?  We 
> don't have an external clock source in that CO.  I expect to have up to 
> a dozen different M13s connected to this 7206 as time goes by.  Would it 
> be a problem if the 7206 received clocking on each DS3 from each of the 
> muxes or would that screw things up internally?  At this point I don't 
> expect to get handed a T1 w/ clocking from the RBOC.  All the CPEs will 
> be line of course.

Do you control both ends of the T3 link?  If the other end is a 
carrier-supplied mux, then our best practice is to clock the aggregate 
T3 by line and have the carrier's BITS clock drive the T3.

Then on the router clock each individual T1 internally on the 
channelized T3 card at the aggregate router end. Have the remote T1 
routers clock from line.

If you clock the individual T1s from line on the DS3 mux, then either 
the tail-end router or the T1 carrier in between must source clock. 
This is not the usual scenario.

In crude graphics:

Carrier BITS -> Carrier T3 -> your CT3 card -> T1 line -> tail router.



>> On your virtual, what does it show:
> 
> 7206:
> Serial1/0/1:0 is down, line protocol is down
>   Hardware is PA-MC-2T3-EC
>   Internet address is 1.1.1.1/24
>   MTU 1500 bytes, BW 1536 Kbit/sec, DLY 20000 usec,
>      reliability 253/255, txload 1/255, rxload 1/255
>   Encapsulation HDLC, crc 16, loopback not set
>   Keepalive set (10 sec)
>   Last input 18:15:59, output never, output hang never
>   Last clearing of "show interface" counters 00:00:07
>   Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
>   Queueing strategy: weighted fair
>   Output queue: 0/1000/64/0 (size/max total/threshold/drops)
>      Conversations  0/1/16 (active/max active/max total)
>      Reserved Conversations 0/0 (allocated/max allocated)
>      Available Bandwidth 1152 kilobits/sec
>   5 minute input rate 0 bits/sec, 0 packets/sec
>   5 minute output rate 0 bits/sec, 0 packets/sec
>      0 packets input, 0 bytes, 0 no buffer
>      Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
>      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
>      0 packets output, 0 bytes, 0 underruns
>      0 output errors, 0 collisions, 1 interface resets
>      0 output buffer failures, 0 output buffers swapped out
>      0 carrier transitions alarm present
>   VC:0 Timeslot(s): 1-24, Transmitter delay 0, non-inverted data
> 
> 2811:
> Serial0/1/1:0 is down, line protocol is down
>   Hardware is GT96K Serial
>   MTU 1500 bytes, BW 1536 Kbit, DLY 20000 usec,
>      reliability 252/255, txload 1/255, rxload 1/255
>   Encapsulation HDLC, loopback not set
>   Keepalive set (10 sec)
>   CRC checking enabled
>   Last input 18:33:23, output 18:33:13, output hang never
>   Last clearing of "show interface" counters 19:36:46
>   Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
>   Queueing strategy: weighted fair
>   Output queue: 0/1000/64/0 (size/max total/threshold/drops)
>      Conversations  0/1/256 (active/max active/max total)
>      Reserved Conversations 0/0 (allocated/max allocated)
>      Available Bandwidth 1152 kilobits/sec
>   5 minute input rate 0 bits/sec, 0 packets/sec
>   5 minute output rate 0 bits/sec, 0 packets/sec
>      39 packets input, 3582 bytes, 0 no buffer
>      Received 39 broadcasts, 0 runts, 1 giants, 0 throttles
>      16 input errors, 16 CRC, 14 frame, 6 overrun, 0 ignored, 8 abort
>      40 packets output, 3606 bytes, 0 underruns
>      0 output errors, 0 collisions, 1 interface resets
>      0 output buffer failures, 0 output buffers swapped out
>      2 carrier transitions
>   Timeslot(s) Used:1-24, SCC: 1, Transmitter delay is 0 flags
> 
> 
> Both are configured only with an IP and are unshut.

Set clock internal on the T1 channel on the CT3 card, it will probably 
come up.  Paste the output for show controller for that T1 on the 7206 
if that doesn't fix it.

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

From spinthiras.mario at gmail.com  Wed Dec 10 13:49:05 2008
From: spinthiras.mario at gmail.com (Mario Spinthiras)
Date: Wed, 10 Dec 2008 20:49:05 +0200
Subject: [c-nsp] automated network monitorgin
In-Reply-To: <4f890e580812100948r1cf07d05q497379bb692ba76a@mail.gmail.com>
References: <4f890e580812100948r1cf07d05q497379bb692ba76a@mail.gmail.com>
Message-ID: <4f890e580812101049mb57ef17g438d8f63d0a070c2@mail.gmail.com>

And please forgive the bad spelling and grammar. It happens sometimes.

Regards,
Mario A. Spinthiras
http://www.spinthiras.net/

On Wed, Dec 10, 2008 at 7:48 PM, Mario Spinthiras
<spinthiras.mario at gmail.com> wrote:
> Dear all,
>
>  I posted an email to this list a while back regarding network
> monitoring. I came up with a theory which I would like to share with
> the world which might be something interested though I dont know due
> to the diversity of network design today. My question are essentially
> the following , When you hear the words "automated network monitoring"
> and "multi layer topology mapping" , how do you percieve these , and
> how are they (if they are) implemented on a network near you? My
> theory on multi correlated data processing from network nodes is
> available at http://www.spinthiras.net/2008/12/10/network-monitoring-logic/
> and it basically refers to the logic behind monitoring systems in
> being implemented to make monitoring systems do human-understanable
> reasoning in a network problem of view. Your feedback is more than
> welcome.
>
> Regards,
> Mario A. Spinthiras
> http://www.spinthiras.net/
>

From jlewis at lewis.org  Wed Dec 10 14:51:26 2008
From: jlewis at lewis.org (Jon Lewis)
Date: Wed, 10 Dec 2008 14:51:26 -0500 (EST)
Subject: [c-nsp] 3550 policy routing
Message-ID: <Pine.LNX.4.61.0812101432240.6312@soloth.lewis.org>

I may have a near future need to do [some more] policy routing on a 3550 
and found 
http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a00802135d3.shtml

The 3550 in question is already doing policy routing of locally generated 
traffic using "ip local policy route-map LocalPolicy", and this did not 
require changing from the default sdm template.  LocalPolicy sets ip 
next-hop based on the packet's source IP address.

My questions are,

Under recent 12.2 software, will the extended-match sdm template really be 
required when policy routing routed traffic?

>From the above mentioned page, it sounds like even when policy routing, 
the routing is done in hardware...so is it safe to assume a 3550 can 
policy route line rate traffic (or at least several hundred mbit/s)?

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

From jeremyparr at gmail.com  Wed Dec 10 15:10:20 2008
From: jeremyparr at gmail.com (Jeremy Parr)
Date: Wed, 10 Dec 2008 15:10:20 -0500
Subject: [c-nsp] Cisco DSLAM Product Line
Message-ID: <91dee5fc0812101210o3b00871ehdca3072fbdbf7ebf@mail.gmail.com>

Does Cisco even make a DSLAM anymore? I can't find anything on their
site. Any good/bad/ugly suggestions welcomed....

From spinthiras.mario at gmail.com  Wed Dec 10 15:30:19 2008
From: spinthiras.mario at gmail.com (Mario Spinthiras)
Date: Wed, 10 Dec 2008 22:30:19 +0200
Subject: [c-nsp] Cisco DSLAM Product Line
In-Reply-To: <91dee5fc0812101210o3b00871ehdca3072fbdbf7ebf@mail.gmail.com>
References: <91dee5fc0812101210o3b00871ehdca3072fbdbf7ebf@mail.gmail.com>
Message-ID: <4f890e580812101230s3e656174yb9dc2e1128601c19@mail.gmail.com>

Jeremy,

I don't know if your looking for Cisco DSLAMS but I Allied Telesis
make the iMAPs which are very well designed DSLAMS. I used them for
basic xDSL testing back in the days I was in industry but they were
incompatible with a SS so we didnt buy them for that. We did however
use them for metro ethernet fiber connectivity. I can assure you they
are sweet babies. http://www.alliedtelesis.com/ . Hope this helps.

Please dont reply back through the list on this one as it's not a
cisco product :) and people might get upset...

Regards,
Mario A. Spinthiras
http://www.spinthiras.net

From saku+cisco-nsp at ytti.fi  Wed Dec 10 15:42:03 2008
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Wed, 10 Dec 2008 22:42:03 +0200
Subject: [c-nsp] 12.2(33)SRC2 running 7600
In-Reply-To: <d9ae95f60812100353p5596d425h965a0a8cb0fe1e7c@mail.gmail.com>
References: <d9ae95f60812100353p5596d425h965a0a8cb0fe1e7c@mail.gmail.com>
Message-ID: <20081210204203.GA25986@mx.ytti.net>

On (2008-12-10 13:53 +0200), moshe mizrachi wrote:

> does someone have any notes of open bugs on 7600 RSP720-3CXL-GE  runs
> 12.2(33)SRC2 ,

I suspect BGP ghosting issue in SRC2. I'm fairly certain at least that in
VPNv4 RR functionality there is such. (RR thinks it has sent update,
while it has not).

> as well as what is going to be solved on 12.2(33)SRC3 ,  the bug toolkit  is
> empty .....

CSCsq16469 will be fixed SRC3, where uRPF/strict enabled SIP/SPA, OSM cards 
start to lose packets until you reconfig uRPF per interface or shut/no
shut. This bug is also fixed in SRD.


-- 
  ++ytti

From saku+cisco-nsp at ytti.fi  Wed Dec 10 15:44:14 2008
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Wed, 10 Dec 2008 22:44:14 +0200
Subject: [c-nsp] 3550 policy routing
In-Reply-To: <Pine.LNX.4.61.0812101432240.6312@soloth.lewis.org>
References: <Pine.LNX.4.61.0812101432240.6312@soloth.lewis.org>
Message-ID: <20081210204413.GB25986@mx.ytti.net>

On (2008-12-10 14:51 -0500), Jon Lewis wrote:

> Under recent 12.2 software, will the extended-match sdm template really 
> be required when policy routing routed traffic?

It always was, for transit.

>> From the above mentioned page, it sounds like even when policy routing, 
>> 
> the routing is done in hardware...so is it safe to assume a 3550 can  
> policy route line rate traffic (or at least several hundred mbit/s)?

Yes, but it is mutually exclusive with VRF-lite.

-- 
  ++ytti

From markom at markom.info  Wed Dec 10 15:57:01 2008
From: markom at markom.info (Marko Milivojevic)
Date: Wed, 10 Dec 2008 20:57:01 +0000
Subject: [c-nsp] 12.2(33)SRC2 running 7600
In-Reply-To: <20081210204203.GA25986@mx.ytti.net>
References: <d9ae95f60812100353p5596d425h965a0a8cb0fe1e7c@mail.gmail.com>
	<20081210204203.GA25986@mx.ytti.net>
Message-ID: <1fb747910812101257p18e1711dg50818e994faff159@mail.gmail.com>

On Wed, Dec 10, 2008 at 20:42, Saku Ytti <saku+cisco-nsp at ytti.fi> wrote:
> I suspect BGP ghosting issue in SRC2. I'm fairly certain at least that in
> VPNv4 RR functionality there is such. (RR thinks it has sent update,
> while it has not).

We are being hit hard with this one in SRB3. Does anyone know if this
has been fixed up to SRB5?

--
Marko
CCIE #18427 (SP)
My network blog: http://cisco.markom.info/

From mtinka at globaltransit.net  Wed Dec 10 18:52:48 2008
From: mtinka at globaltransit.net (Mark Tinka)
Date: Thu, 11 Dec 2008 07:52:48 +0800
Subject: [c-nsp] 12.2(33)SRC2 running 7600
In-Reply-To: <d9ae95f60812100353p5596d425h965a0a8cb0fe1e7c@mail.gmail.com>
References: <d9ae95f60812100353p5596d425h965a0a8cb0fe1e7c@mail.gmail.com>
Message-ID: <200812110752.52721.mtinka@globaltransit.net>

On Wednesday 10 December 2008 19:53:30 moshe mizrachi wrote:

> as well as what is going to be solved on 12.2(33)SRC3 , 
> the bug toolkit  is empty .....

What I know will be fixed in SRC3:

* CSCsu06744 - AS2686 is returned in any IPv6 traceroute
  	       performed on a router carrying a full v4
	       routing table.

The other fixes I know of are particular to the 7200.

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081211/86de5d19/attachment.bin>

From rblayzor.bulk at inoc.net  Wed Dec 10 19:54:13 2008
From: rblayzor.bulk at inoc.net (Robert Blayzor)
Date: Wed, 10 Dec 2008 19:54:13 -0500
Subject: [c-nsp] DS3 mux issues
In-Reply-To: <493FF0E9.1020503@justinshore.com>
References: <493EE315.2000103@justinshore.com>	<200812091658.29211.lesmith@ecsis.net>
	<493FDD52.404@justinshore.com> <493FDF5B.10706@davidcoulson.net>
	<493FF0E9.1020503@justinshore.com>
Message-ID: <EA9DBE08-6640-421E-9F85-F7EB12B809AF@inoc.net>

On Dec 10, 2008, at 11:40 AM, Justin Shore wrote:
> I've got the CO tech coming back to help me troubleshoot it this  
> afternoon.  With his TBird we should be able to see what's going on.  
> Any other thoughts?  I'm not sure how I test the DS1 from the 7206  
> through to the mux.



Try using a T1 XC cable to your DSX or reversing the TX/RX AMP  
connectors on the back of the Mux.  If it comes up on metallic but not  
the other way, sounds like you have have RX/RX & TX/TX and not RX/TX &  
RX/TX.

-- 
Robert Blayzor, BOFH
INOC, LLC
rblayzor at inoc.net
http://www.inoc.net/~rblayzor/




From ranmails at gmail.com  Thu Dec 11 01:35:52 2008
From: ranmails at gmail.com (Ran Liebermann)
Date: Thu, 11 Dec 2008 08:35:52 +0200
Subject: [c-nsp] 12.2(33)SRC2 running 7600
In-Reply-To: <200812110752.52721.mtinka@globaltransit.net>
References: <d9ae95f60812100353p5596d425h965a0a8cb0fe1e7c@mail.gmail.com>
	<200812110752.52721.mtinka@globaltransit.net>
Message-ID: <8c19328e0812102235q7647682cm66d5ddb49e617230@mail.gmail.com>

We are seeing repeated crashes of ES20 modules (1GE and 10GE) on a
device running SRC2 with ISG functionality.

All ES20 modules crash together at the same time, and the crashinfo
files on the ES20 modules show messages about bad magic number right
when it crashes.


On 12/11/08, Mark Tinka <mtinka at globaltransit.net> wrote:
> On Wednesday 10 December 2008 19:53:30 moshe mizrachi wrote:
>
>> as well as what is going to be solved on 12.2(33)SRC3 ,
>> the bug toolkit  is empty .....
>
> What I know will be fixed in SRC3:
>
> * CSCsu06744 - AS2686 is returned in any IPv6 traceroute
>   	       performed on a router carrying a full v4
> 	       routing table.
>
> The other fixes I know of are particular to the 7200.
>
> Mark.
>


-- 
Ran Liebermann
VP Engineering, PurePeak
ranl at purepeak.com
http://purepeak.com

From david.freedman at uk.clara.net  Thu Dec 11 04:16:40 2008
From: david.freedman at uk.clara.net (David Freedman)
Date: Thu, 11 Dec 2008 09:16:40 +0000
Subject: [c-nsp] IOS IPv6 CEF adjacencies on 12xxx
In-Reply-To: <FFBEC1DE79841C4C965378BBDA5913FC4CDE8B@EXVS01.claranet.local>
References: <FFBEC1DE79841C4C965378BBDA5913FC4CDE85@EXVS01.claranet.local>	<20081210052242.GM97614@elvis.mu.org>
	<FFBEC1DE79841C4C965378BBDA5913FC4CDE8B@EXVS01.claranet.local>
Message-ID: <ghqlpo$9lc$1@ger.gmane.org>

Ok, thanks to all those that replied, nobody I spoke to was able to
explain this and the best I was told was to clear the dCEF on the
ingress linecards in question which fixed the problem.

Since I don't have the luxury of a consistency checker in 12.0(S) I
guess I will just have to live with this...

Dave.


David Freedman wrote:
>>     should be FE80::C316:9EE if this was a paste-o, ignore this mail
> 
> Yes, sorry, I was typing this afresh and not pasting :)
> 
>> guess:
>> since rb doesn't point to FE80::C316:9EE there's no adjacency to be
>> incomplete.
>> does 'sh ipv6 cef unresolved' show anything?
> 
> Nope, no unresolved entries
> 
>> i'm hitting the limits of my knowledge.
> 
>> So, it looks like the lack of adjacency is the cause, 
>> before I go open a TAC case (and get told to clear dCEF tables/
>> reboot linecards) , is there anything non-invasive I could try to debug/resolve this?
> 
>> how are RA,RB getting routes for 2001:DB8:A::1 and 2001:DB8:B::1?
>> if dynamically, try static. if static, try a routing protocol. just to
>> mix things up. :)
> 
> Dynamically, via eBGP
> 
> 
>> a pair of cisco 7301s, albeit running GRE and not ip6ip (sorry
> 
> Yes thanks, mine looks like this, except when you ask the linecards, which makes
> me think this is something specific to the platform.
> 
> Dave.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From saku+cisco-nsp at ytti.fi  Thu Dec 11 06:13:06 2008
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Thu, 11 Dec 2008 13:13:06 +0200
Subject: [c-nsp] 12.2(33)SRC2 running 7600
In-Reply-To: <1fb747910812101257p18e1711dg50818e994faff159@mail.gmail.com>
References: <d9ae95f60812100353p5596d425h965a0a8cb0fe1e7c@mail.gmail.com>
	<20081210204203.GA25986@mx.ytti.net>
	<1fb747910812101257p18e1711dg50818e994faff159@mail.gmail.com>
Message-ID: <20081211111306.GA30372@mx.ytti.net>

On (2008-12-10 20:57 +0000), Marko Milivojevic wrote:

> > I suspect BGP ghosting issue in SRC2. I'm fairly certain at least that in
> > VPNv4 RR functionality there is such. (RR thinks it has sent update,
> > while it has not).
> 
> We are being hit hard with this one in SRB3. Does anyone know if this
> has been fixed up to SRB5?

Do you have bugID for this? Cisco has not yet confirmed our suspicions,
since they were unable to recreate it in their lab. 

-- 
  ++ytti

From conceicao.jose at gmail.com  Thu Dec 11 06:14:02 2008
From: conceicao.jose at gmail.com (Jose Conceicao)
Date: Thu, 11 Dec 2008 11:14:02 +0000
Subject: [c-nsp] to tweek SPD or not to tweek SPD
Message-ID: <6fcc278a0812110314q1a213910q4c3dd682979541da@mail.gmail.com>

Hi

Under what conditions would it be deemed wise to tweek SPD or disable it
altogether?

Regards

/J

From markom at markom.info  Thu Dec 11 06:45:13 2008
From: markom at markom.info (Marko Milivojevic)
Date: Thu, 11 Dec 2008 11:45:13 +0000
Subject: [c-nsp] 12.2(33)SRC2 running 7600
In-Reply-To: <20081211111306.GA30372@mx.ytti.net>
References: <d9ae95f60812100353p5596d425h965a0a8cb0fe1e7c@mail.gmail.com>
	<20081210204203.GA25986@mx.ytti.net>
	<1fb747910812101257p18e1711dg50818e994faff159@mail.gmail.com>
	<20081211111306.GA30372@mx.ytti.net>
Message-ID: <1fb747910812110345g6ec2a0efyebd3d45d33eacd87@mail.gmail.com>

On Thu, Dec 11, 2008 at 11:13, Saku Ytti <saku+cisco-nsp at ytti.fi> wrote:
> On (2008-12-10 20:57 +0000), Marko Milivojevic wrote:
>
>> > I suspect BGP ghosting issue in SRC2. I'm fairly certain at least that in
>> > VPNv4 RR functionality there is such. (RR thinks it has sent update,
>> > while it has not).
>>
>> We are being hit hard with this one in SRB3. Does anyone know if this
>> has been fixed up to SRB5?
>
> Do you have bugID for this? Cisco has not yet confirmed our suspicions,
> since they were unable to recreate it in their lab.

Unfortunately not. I'm also sure they were unable to reproduce it.
It's very sporadic. We are still trying to work out what triggers the
problem.

--
Marko
CCIE #18427 (SP)
My network blog: http://cisco.markom.info/

From gert at greenie.muc.de  Thu Dec 11 07:27:25 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 11 Dec 2008 13:27:25 +0100
Subject: [c-nsp] loop-testing 10G with cisco?
Message-ID: <20081211122725.GL8535@greenie.muc.de>

Hi,

I'm facing a new challenge and hope that one of you has a nice trick for
me...

We are working on taking a 10G wavelength into service, and it has packet
errors (CRC errors showing up on one side).  3 different fiber providers
involved, plus local in-house cabling.  Difficult.

For "classic" lines (T1 to STM-<whatever> serials), the normal approach to
diagnosing this is to loop back the fiber at certain points of the path,
and see which part is the problematic one.

This works with 10G fiber as well, but I can't find a way to ping-test 
the loop from the Cisco.

Here's the setup:

Cisco 6506, Sup720-10GE  =======<fiber path>======) loop cable

I can *see* the loop ("show cdp neighbor" shows myself, and if UDLD is
enabled, the interface goes to errdisable).  

I just can't ping-test, as the router is clever(?) enough to locally 
loop the packets - self-ping won't leave the box.  On a serial interface, 
pinging myself will make the router send out the packet over the serial, 
so I can nicely ping-test the loop.


So - what's the trick for testing such things with a 10GE LAN interface?

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081211/f824bda4/attachment.bin>

From p.mayers at imperial.ac.uk  Thu Dec 11 07:43:38 2008
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Thu, 11 Dec 2008 12:43:38 +0000
Subject: [c-nsp] loop-testing 10G with cisco?
In-Reply-To: <20081211122725.GL8535@greenie.muc.de>
References: <20081211122725.GL8535@greenie.muc.de>
Message-ID: <49410AFA.9030805@imperial.ac.uk>

Gert Doering wrote:
> Hi,
> 
> I'm facing a new challenge and hope that one of you has a nice trick for
> me...
> 
> We are working on taking a 10G wavelength into service, and it has packet
> errors (CRC errors showing up on one side).  3 different fiber providers
> involved, plus local in-house cabling.  Difficult.
> 
> For "classic" lines (T1 to STM-<whatever> serials), the normal approach to
> diagnosing this is to loop back the fiber at certain points of the path,
> and see which part is the problematic one.
> 
> This works with 10G fiber as well, but I can't find a way to ping-test 
> the loop from the Cisco.
> 
> Here's the setup:
> 
> Cisco 6506, Sup720-10GE  =======<fiber path>======) loop cable
> 
> I can *see* the loop ("show cdp neighbor" shows myself, and if UDLD is
> enabled, the interface goes to errdisable).  
> 
> I just can't ping-test, as the router is clever(?) enough to locally 
> loop the packets - self-ping won't leave the box.  On a serial interface, 
> pinging myself will make the router send out the packet over the serial, 
> so I can nicely ping-test the loop.
> 
> 
> So - what's the trick for testing such things with a 10GE LAN interface?

WAG, but maybe something like:

int Te1/1
  ip unnumbered Lo1
ip route 192.168.1.1 255.255.255.255 Te1/1

The un-numbered command ought to stop the router ARPing for next-hop, 
and you can then:

ping 192.168.1.1

Obviously you won't get any replies because the cisco won't receive on 
192.168.1.1 but the counters should increment.

I'd be interested to know if this works...

The other option might be to use two 10gig ports and a kind of Y-cable 
arrangement for the patch lead, using a port for TX, and a port for RX, 
and put either the TX or RX port into a vrf.

From Anton.Schweitzer at o2.com  Thu Dec 11 07:52:55 2008
From: Anton.Schweitzer at o2.com (Anton.Schweitzer at o2.com)
Date: Thu, 11 Dec 2008 13:52:55 +0100
Subject: [c-nsp] Trigger Backup With Cisco SLA
Message-ID: <OFE6D7DF3B.B4C26D96-ONC125751C.0046369E-C125751C.0046C541@o2.com>

Hi,

is anbody here using Cisco Object Tracking for triggering backup 
connections and can share experiences for a huge
amount of devices, timing etc?

We want to use IP SLA to Ping 3 different Hosts, when 2 of them fail then 
we switch to the backup connection.

ip sla 2
 icmp-echo 1.1.1.1 source-ip 192.168.101.1
 timeout 1000
 threshold 500
 frequency 3
ip sla schedule 2 life forever start-time now
ip sla 3
 icmp-echo 1.1.1.2 source-ip 192.168.101.1
 timeout 1000
 threshold 500
 frequency 3
ip sla schedule 3 life forever start-time now
ip sla 4
 icmp-echo 1.1.1.3 source-ip 192.168.101.1
 timeout 1000
 threshold 500
 frequency 3
ip sla schedule 4 life forever start-time now


track 1 list threshold percentage
 object 2
 object 3
 object 4
 threshold percentage down 65 up 66
!
track 2 rtr 2 reachability
!
track 3 rtr 3 reachability
!
track 4 rtr 4 reachability


ip route 0.0.0.0 0.0.0.0 Dialer3 track 1
ip route 0.0.0.0 0.0.0.0 Dialer2 254


ip local policy route-map MY-LOCAL-POLICY

route-map MY-LOCAL-POLICY permit 10
 match ip address 101
 set interface Dialer3 Null0
!
route-map MY-LOCAL-POLICY permit 20




Cheers

Anton

Anton Schweitzer
Senior Specialist BS Projekt & Service 
Customer Design

o2 (Germany) GmbH & Co.OHG
Georg Brauchle-Ring 23-25, D-80992 M?nchen
Tel      +49(0)89-2442-5794
Mobil +49(0)176-23407715
Fax      +49(0)89-2442-4281
anton.schweitzer at o2.com

Telef?nica o2 Germany GmbH & Co. OHG ? Georg-Brauchle-Ring 23-25 ? 80992 
M?nchen ? Deutschland ? www.o2.com/de

Ust.-Id.-Nr. DE 811 889 638. Amtsgericht M?nchen HRA 70343. 
Gesellschafter: Telef?nica o2 Germany Management GmbH. Amtsgericht M?nchen 
HRB 109061 und 
Telef?nica o2 Germany Verwaltungs GmbH. Amtsgericht M?nchen HRB 121389, 
beide ebenda.
Gesch?ftsf?hrer beider Gesellschafter: Jaime Smith Basterra, Vorsitzender. 
Antonio Botas Banuelos. Andrea Folgueiras. Andr? Krause. Lutz Sch?ler. 
Carsten Wreth.

From Mark at u.tv  Thu Dec 11 07:08:07 2008
From: Mark at u.tv (Mark Tohill)
Date: Thu, 11 Dec 2008 12:08:07 -0000
Subject: [c-nsp] CoPP configuration..
Message-ID: <658F94741F4A8A4F94171E37E417488B0272DA84@UTVEXCHANGE.utv.local>


Hi,

Can anyone offer me advice on configuring CoPP on internet-facing edge
routers?

I'm running 12.4(21a) on 7200VXR's.

I have an initial configuration with the usual well documented
classifications
(http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html)
and can access the proper values (I think)from
CISCO-CLASS-BASED-QOS-MIB, which I could graph in MRTG without too much
difficulty. Heres the output from 'sh policy-map control-plane':

sh policy-map control-plane | include offered
5 minute offered rate 0 bps, drop rate 0 bps
5 minute offered rate 1000 bps
5 minute offered rate 2000 bps
5 minute offered rate 0 bps
5 minute offered rate 0 bps
5 minute offered rate 1000 bps
5 minute offered rate 0 bps, drop rate 0 bps

These values are 'bursty' and seem to come in multiples of 1000. Is
there any merit in graphing these values over time and setting CoPP MQC
values from that? It feels a bit crude.

Thanks,
Mark


Mark Tohill
UTV Internet
T:+44 (0)28 90 262196
M:+44 (0)7786 278716
E:mark at u.tv

From gert at greenie.muc.de  Thu Dec 11 08:17:50 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 11 Dec 2008 14:17:50 +0100
Subject: [c-nsp] loop-testing 10G with cisco?
In-Reply-To: <49410AFA.9030805@imperial.ac.uk>
References: <20081211122725.GL8535@greenie.muc.de>
	<49410AFA.9030805@imperial.ac.uk>
Message-ID: <20081211131750.GO8535@greenie.muc.de>

Hi,

On Thu, Dec 11, 2008 at 12:43:38PM +0000, Phil Mayers wrote:
> int Te1/1
>  ip unnumbered Lo1

Won't work on SXH...

Cisco(config-if)#ip unn lo0
Point-to-point (non-multi-access) interfaces only

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081211/b794c4b5/attachment.bin>

From gert at greenie.muc.de  Thu Dec 11 08:25:25 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 11 Dec 2008 14:25:25 +0100
Subject: [c-nsp] loop-testing 10G with cisco?
In-Reply-To: <20081211131750.GO8535@greenie.muc.de>
References: <20081211122725.GL8535@greenie.muc.de>
	<49410AFA.9030805@imperial.ac.uk>
	<20081211131750.GO8535@greenie.muc.de>
Message-ID: <20081211132525.GP8535@greenie.muc.de>

Hi,

On Thu, Dec 11, 2008 at 02:17:50PM +0100, Gert Doering wrote:
> On Thu, Dec 11, 2008 at 12:43:38PM +0000, Phil Mayers wrote:
> > int Te1/1
> >  ip unnumbered Lo1
> 
> Won't work on SXH...
> 
> Cisco(config-if)#ip unn lo0
> Point-to-point (non-multi-access) interfaces only

... ok, this doesn't work, but it gave me an idea.

1. configure a transfer network x.x.x.1/30
2. configure a static arp entry for x.x.x.2
3. "ping x.x.x.2 repeat 10000 timeout 0"

then look at the interface counters:

     9941 packets input, 1173347 bytes, 0 no buffer
     Received 1 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles 
     163 input errors, 163 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     10011 packets output, 1181607 bytes, 0 underruns

... sufficient to see "here be problems" :)

thanks,

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081211/ba123955/attachment.bin>

From saku+cisco-nsp at ytti.fi  Thu Dec 11 09:18:07 2008
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Thu, 11 Dec 2008 16:18:07 +0200
Subject: [c-nsp] CoPP configuration..
In-Reply-To: <658F94741F4A8A4F94171E37E417488B0272DA84@UTVEXCHANGE.utv.local>
References: <658F94741F4A8A4F94171E37E417488B0272DA84@UTVEXCHANGE.utv.local>
Message-ID: <20081211141807.GB31311@mx.ytti.net>

On (2008-12-11 12:08 -0000), Mark Tohill wrote:


> Can anyone offer me advice on configuring CoPP on internet-facing edge
> routers?
> 
> I'm running 12.4(21a) on 7200VXR's.

Are you running MPLS, if so, you might want to know that in VXR CoPP is
evaluated before EXP null is popped. This effectively means that there is
no point running CoPP in such setup.
Cisco handle this case in '603198067' and told it's expected, which
was rather disappointing to hear.
In 7600 luckily exp null is popped before CoPP is evaluated.

> I have an initial configuration with the usual well documented
> classifications
> (http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html)
> and can access the proper values (I think)from
> CISCO-CLASS-BASED-QOS-MIB, which I could graph in MRTG without too much
> difficulty. Heres the output from 'sh policy-map control-plane':
> 
> sh policy-map control-plane | include offered
> 5 minute offered rate 0 bps, drop rate 0 bps
> 5 minute offered rate 1000 bps
> 5 minute offered rate 2000 bps
> 5 minute offered rate 0 bps
> 5 minute offered rate 0 bps
> 5 minute offered rate 1000 bps
> 5 minute offered rate 0 bps, drop rate 0 bps
> 
> These values are 'bursty' and seem to come in multiples of 1000. Is
> there any merit in graphing these values over time and setting CoPP MQC
> values from that? It feels a bit crude.
> 
> Thanks,
> Mark
> 
> 
> Mark Tohill
> UTV Internet
> T:+44 (0)28 90 262196
> M:+44 (0)7786 278716
> E:mark at u.tv
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
  ++ytti

From justin at justinshore.com  Thu Dec 11 09:44:21 2008
From: justin at justinshore.com (Justin Shore)
Date: Thu, 11 Dec 2008 08:44:21 -0600
Subject: [c-nsp] DS3 mux issues
In-Reply-To: <EA9DBE08-6640-421E-9F85-F7EB12B809AF@inoc.net>
References: <493EE315.2000103@justinshore.com>	<200812091658.29211.lesmith@ecsis.net>
	<493FDD52.404@justinshore.com> <493FDF5B.10706@davidcoulson.net>
	<493FF0E9.1020503@justinshore.com>
	<EA9DBE08-6640-421E-9F85-F7EB12B809AF@inoc.net>
Message-ID: <49412745.0@justinshore.com>

Robert Blayzor wrote:
> Try using a T1 XC cable to your DSX or reversing the TX/RX AMP 
> connectors on the back of the Mux.  If it comes up on metallic but not 
> the other way, sounds like you have have RX/RX & TX/TX and not RX/TX & 
> RX/TX.

Exactly.  That's what he ended up doing in the CO before I got back 
there.  Since he wired it I wanted him to identify the problem.  We're 
trying to create a cookie-cutter template for all our remote COs and 
various folks with expertise in certain areas are contributing to it. 
Wiring isn't my area of expertise so I'm leaving that up to the CO tech.

Justin

From stig.johansen at ementor.no  Thu Dec 11 09:45:51 2008
From: stig.johansen at ementor.no (Stig Johansen)
Date: Thu, 11 Dec 2008 15:45:51 +0100
Subject: [c-nsp] Cisco DSLAM Product Line
In-Reply-To: <91dee5fc0812101210o3b00871ehdca3072fbdbf7ebf@mail.gmail.com>
References: <91dee5fc0812101210o3b00871ehdca3072fbdbf7ebf@mail.gmail.com>
Message-ID: <5EB9799F396A304686962AFFF740ED0CB1753CC7@NOOSLEXCH001.adno.local>

Jeremy Parr wrote:
>Does Cisco even make a DSLAM anymore? I can't find anything on their site. Any good/bad/ugly suggestions welcomed....

I guess not:

https://www.cisco.com/en/US/prod/collateral/switches/ps5704/ps298/prod_end-of-life_notice0900aecd80272b2e.html

We have used ZyXEL IES-1000 and IES-3000 DSLAM's for a while, and they generally do what they are supposed to do.

/Stig

From twist3dmac at gmail.com  Thu Dec 11 10:13:39 2008
From: twist3dmac at gmail.com (twisted mac)
Date: Thu, 11 Dec 2008 15:13:39 +0000
Subject: [c-nsp]  IPSec between Cisco and D-Link
Message-ID: <88dfbf880812110713m472d46d2ufae29e265a181a7d@mail.gmail.com>

Howdy!

Sorry to bother, but i found this post by googling-it. If you remember how
you solve this, can you please help me?

Have the same problem, can?t understand what the heck those DLink boxes see
the other side.

my config is similar to yours

tks

mac

From saku+cisco-nsp at ytti.fi  Thu Dec 11 10:41:30 2008
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Thu, 11 Dec 2008 17:41:30 +0200
Subject: [c-nsp] Cisco DSLAM Product Line
In-Reply-To: <91dee5fc0812101210o3b00871ehdca3072fbdbf7ebf@mail.gmail.com>
References: <91dee5fc0812101210o3b00871ehdca3072fbdbf7ebf@mail.gmail.com>
Message-ID: <20081211154130.GA31839@mx.ytti.net>

On (2008-12-10 15:10 -0500), Jeremy Parr wrote:

> Does Cisco even make a DSLAM anymore? I can't find anything on their
> site. Any good/bad/ugly suggestions welcomed....

Ciscos last DSLAM was c6260 (hacked LS1010 more or less). There
was one time rumour that cisco planned to release both
cat3750 based pizzabox DSLAM and cat6500 DSL blade. 

I hear Cisco talks this internally quite often, not sure
why they fail to appear in the market. They are successful
in cable market, how would DSL exactly be that different
I don't know.

When it comes to recommending DSLAM, all I can tell is
that they all suck. When you have to sell port for 20e,
it is bound to show.

What I'd expect in DSLAM, from top of my head
 * ability to force forwarding to always some destination MAC
     - eg to L3 aggregation VRRP, allowing L2 separation
 * ability to sniff/spoof ARP
     -network->customer, DSLAM replies, does not send to customer
     -customer->network, DSLAM replies, always preconfigured MAC, eg. router VRRP
 * ability to overwrite src MAC, so entire port, regardless how
   many computers are seen as single PC. Reducing MAC usage in L2
   aggregation.
 * ability to sniff DHCP, with ip source guard (uRPF in DSLAM)
 * ability to inject opt82 in DHCP
 * ability to do strict priority queue based on packet length
     (Doing priority on <200bytes packets is pretty cover-all
      QoS. Protects your VoIP, gaming, TCP ACK, interactive ssh...)
 * higher MTU for DSL connection, at least 12bytes extra.
 * multiple PVC support, and multiple VLAN support over single PVC
 * ability to double tag untagged frames coming to DSL port
 * L3 ACL in DSL port (to deny residental from sending tcp/25 outside
   designated SMTP servers)
 * hardware capable of doing all of above with IPv6
 * able to initial setup, config and restore config via CLI
 * fast reload time

-- 
  ++ytti

From Mark at u.tv  Thu Dec 11 12:18:17 2008
From: Mark at u.tv (Mark Tohill)
Date: Thu, 11 Dec 2008 17:18:17 -0000
Subject: [c-nsp] CoPP configuration..
Message-ID: <658F94741F4A8A4F94171E37E417488B0272DA88@UTVEXCHANGE.utv.local>



Thanks Ytti,

Are you running MPLS, if so, you might want to know that in VXR CoPP is
evaluated before EXP null is popped. This effectively means that there
is no point running CoPP in such setup.
Cisco handle this case in '603198067' and told it's expected, which was
rather disappointing to hear.
In 7600 luckily exp null is popped before CoPP is evaluated.

>> Thanksfully, no MPLS. BGP,GRE, ACLs, nothing special.

Mark


Mark Tohill
UTV Internet
T:+44 (0)28 90 262196
M:+44 (0)7786 278716
E:mark at u.tv


From justin at justinshore.com  Thu Dec 11 13:58:01 2008
From: justin at justinshore.com (Justin Shore)
Date: Thu, 11 Dec 2008 12:58:01 -0600
Subject: [c-nsp] RSTP or MST on an IOS router
Message-ID: <494162B9.7070309@justinshore.com>

I'm sure this is an easy softball for someone on this list.  Do IOS 
routers such as the ISRs, 7200s, etc support anything other than 
traditional STP?  I'd like to set up RSTP for one particular redundancy 
design scenario involving a 2800 with an ESW HWIC and a pair of stacks 
3750Es.  I'm recommending that HW using STP (preferably rapid-STP) to 
shutdown the redundant link to the second 3750E.  Simple enough and 
low-cost.  I can't find any useful docs on cisco.com that refers to IOS 
routers and RSTP.

The other thought that just came to mind is Etherchannel support on the 
ESW ports in an ISR.  Do they support Etherchannel?  If so then that 
would eliminate the need for RSTP.

Thanks
  Justin



From jhigham at epri.com  Thu Dec 11 14:14:15 2008
From: jhigham at epri.com (Higham, Josh)
Date: Thu, 11 Dec 2008 11:14:15 -0800
Subject: [c-nsp] RSTP or MST on an IOS router
In-Reply-To: <494162B9.7070309@justinshore.com>
References: <494162B9.7070309@justinshore.com>
Message-ID: <4C3B8C75B5899943AEC675BA6DD462730169915D@uspalex02.epri.com>

> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore
> Sent: Thursday, December 11, 2008 10:58 AM
>
> The other thought that just came to mind is Etherchannel 
> support on the 
> ESW ports in an ISR.  Do they support Etherchannel?  If so then that 
> would eliminate the need for RSTP.

The ethernet HWIC ports do not support Etherchannel, unfortunately, and
I can't see how to configure/change the STP mode in a very brief check.

The modules are fully featured switches though.

Thanks,
Josh

From spinthiras.mario at gmail.com  Thu Dec 11 22:01:49 2008
From: spinthiras.mario at gmail.com (Mario Spinthiras)
Date: Fri, 12 Dec 2008 05:01:49 +0200
Subject: [c-nsp] IPSec between Cisco and D-Link
In-Reply-To: <88dfbf880812110713m472d46d2ufae29e265a181a7d@mail.gmail.com>
References: <88dfbf880812110713m472d46d2ufae29e265a181a7d@mail.gmail.com>
Message-ID: <4f890e580812111901p475c3975g2cc8152deee48ef1@mail.gmail.com>

How about the actual problem so we can help there? Logs , errors?

From md at bts.sk  Fri Dec 12 04:34:34 2008
From: md at bts.sk (Marian =?utf-8?B?xI51cmtvdmnEjQ==?=)
Date: Fri, 12 Dec 2008 10:34:34 +0100
Subject: [c-nsp] loop-testing 10G with cisco?
In-Reply-To: <20081211132525.GP8535@greenie.muc.de>
References: <20081211122725.GL8535@greenie.muc.de>
	<49410AFA.9030805@imperial.ac.uk>
	<20081211131750.GO8535@greenie.muc.de>
	<20081211132525.GP8535@greenie.muc.de>
Message-ID: <20081212093434.GA79478@bts.sk>

On Thu, Dec 11, 2008 at 02:25:25PM +0100, Gert Doering wrote:
> ... ok, this doesn't work, but it gave me an idea.
> 
> 1. configure a transfer network x.x.x.1/30
> 2. configure a static arp entry for x.x.x.2
> 3. "ping x.x.x.2 repeat 10000 timeout 0"

In fact you don't even need to bother with static ARP entry.
Just ping to the subnet's broadcast address :-)


   With kind regards,


--------------------------------------------------------------------------
----                                                                  ----
----   Marian ?urkovi?                       network  manager         ----
----                                                                  ----
----   Slovak Technical University           Tel: +421 2 571 041 81   ----
----   Computer Centre, N?m. Slobody 17      Fax: +421 2 524 94 351   ----
----   812 43 Bratislava, Slovak Republic    E-mail/sip: md at bts.sk    ----
----                                                                  ----
--------------------------------------------------------------------------

From felixnkansah at gmail.com  Fri Dec 12 05:23:59 2008
From: felixnkansah at gmail.com (Felix Nkansah)
Date: Fri, 12 Dec 2008 10:23:59 +0000
Subject: [c-nsp] Non-Israeli E1-over-IP products
Message-ID: <18dba4e50812120223h1b756ce5u3cc918379d529c6@mail.gmail.com>

Hi Team,
I recommended RAD products for a client looking to accomplish TDM over IP.

However, they say they cannot accept any products from Israel. :-)

I was wondering if any of you have used other good E1 over IP products from
a company that is not Israeli.

Would appreciate your suggestions on this matter.

Regards,

Felix

From Moens at carrier2carrier.com  Fri Dec 12 05:28:30 2008
From: Moens at carrier2carrier.com (Martin Moens)
Date: Fri, 12 Dec 2008 11:28:30 +0100
Subject: [c-nsp] Non-Israeli E1-over-IP products
In-Reply-To: <18dba4e50812120223h1b756ce5u3cc918379d529c6@mail.gmail.com>
References: <18dba4e50812120223h1b756ce5u3cc918379d529c6@mail.gmail.com>
Message-ID: <42F0C766A9A8DB47B5E86CA64738DC8B01905D76@bilbo.bdhz.c2c.local>

NM-CEM-4TE1	4 Port T1/E1 Circuit Emulation over IP NM


cisco-nsp-bounces at puck.nether.net <> wrote on 12/12/2008 11:24:

> Hi Team,
> I recommended RAD products for a client looking to accomplish
> TDM over IP.
> 
> However, they say they cannot accept any products from Israel. :-)
> 
> I was wondering if any of you have used other good E1 over IP
> products from a company that is not Israeli.
> 
> Would appreciate your suggestions on this matter.
> 
> Regards,
> 
> Felix
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From gert at greenie.muc.de  Fri Dec 12 05:38:07 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 12 Dec 2008 11:38:07 +0100
Subject: [c-nsp] loop-testing 10G with cisco?
In-Reply-To: <20081212093434.GA79478@bts.sk>
References: <20081211122725.GL8535@greenie.muc.de>
	<49410AFA.9030805@imperial.ac.uk>
	<20081211131750.GO8535@greenie.muc.de>
	<20081211132525.GP8535@greenie.muc.de>
	<20081212093434.GA79478@bts.sk>
Message-ID: <20081212103807.GU8535@greenie.muc.de>

Hi,

On Fri, Dec 12, 2008 at 10:34:34AM +0100, Marian ?urkovi? wrote:
> On Thu, Dec 11, 2008 at 02:25:25PM +0100, Gert Doering wrote:
> > ... ok, this doesn't work, but it gave me an idea.
> > 
> > 1. configure a transfer network x.x.x.1/30
> > 2. configure a static arp entry for x.x.x.2
> > 3. "ping x.x.x.2 repeat 10000 timeout 0"
> 
> In fact you don't even need to bother with static ARP entry.
> Just ping to the subnet's broadcast address :-)

Oh, indeed.  I tried the broadcast pinging, and wasn't happy because it
sends packet so slowly - but "timeout 0" indeed works for broadcast as
well.

Nice :)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081212/0b00b320/attachment.bin>

From rjs at eng.gxn.net  Fri Dec 12 06:21:59 2008
From: rjs at eng.gxn.net (Rob Shakir)
Date: Fri, 12 Dec 2008 11:21:59 +0000
Subject: [c-nsp] SPA-1XCHSTM1/OC3 SDH Software Implementation
Message-ID: <20081212112159.GA1397@cappuccino.rob.sh>

Hi,

I'm currently involved in deploying a new platform for terminating a reasonable
number of E1s, which are delivered on N channelised STM-1 from Ericsson OMS1684
MUXes. We're terminating these STM-1s on 7609-S with SIP-200 and
SPA-1XCHSTM1/OC3, and seem to have come across a, somewhat surprising,
limitation of the software on these SPAs. I'd be interested to hear, on or
off-list, whether this limitation is affecting any other providers trying to use
these SPAs.

The limitation is that the SPA cannot parse VC-12 path overheads (the V5 byte of
the SDH path overheads) fully -- as far as I can tell, the only value that it is
able to parse is the VC-AIS signal (the signal label (bits 5, 6 and 7) in the V5
byte being set to 111). This means, that when a VC-12 is unequipped (signal
label = 000), the VC-12 is marked as up on the box.

For example, on this channel this VC-12 isn't equipped by the telco:

rtr# sh controller sonet 2/1/0.1/3/2/3 brief 

SONET 2/1/0 is up.
 Path mode C12

 AU-4 1, TUG-3 3, TUG-2 2, E1 3 (C-12 1/3/2/3) is up
  No alarms detected.
  Framing is unframed, Clock Source is Internal

This means that the mapped Serial interface looks like:

rtr#sh int ser2/1/0.1/3/2/3:0    
Serial2/1/0.1/3/2/3:0 is up, line protocol is down 
  Hardware is SPA-1XCHSTM1/OC3
  Description: :f=qt:
...

Being in an up/down state, and showing the VC-12 as up when there are alarms set
in the VC-12 POH seems to me to being completely invalid behaviour. We have
checked the state of the VC-12 POHs with an SDH analyser -- and verified that
the MUX is setting these correctly. This behaviour is causing us a number of
problems with both provisioning and administration of these circuits.

This problem is even more frustrating due to the fact that the PA-MC-STM-1SM
that we're using in a FlexWAN on another box is able to show LP-UNEQ alarms
correctly, and marks the VC-12 as down.

I've got SR 610067345, and CSCsw25088 tracking this problem --  but would be
very interested to hear whether this problem is affecting any other service
providers using this SPA.

Many thanks for any comments.

Cheers,
Rob

-- 
Rob Shakir                      <rjs at eng.gxn.net>
Network Development Engineer    GX Networks/Vialtus Solutions
ddi: +44208 587 6077            mob: +44797 155 4098
pgp: 0xc07e6deb                 nic-hdl: RJS-RIPE

This email is subject to: http//www.vialtus.com/disclaimer.html

From twist3dmac at gmail.com  Fri Dec 12 07:55:07 2008
From: twist3dmac at gmail.com (twisted mac)
Date: Fri, 12 Dec 2008 12:55:07 +0000
Subject: [c-nsp] IPSec between Cisco and D-Link
In-Reply-To: <4f890e580812111901p475c3975g2cc8152deee48ef1@mail.gmail.com>
References: <88dfbf880812110713m472d46d2ufae29e265a181a7d@mail.gmail.com>
	<4f890e580812111901p475c3975g2cc8152deee48ef1@mail.gmail.com>
Message-ID: <88dfbf880812120455p2a276a9bve5f0439d47f11680@mail.gmail.com>

Seems fair enough :)

logs from dlink

   2008-12-11 17:30:21: IkeSnoop: Received IKE packet from
82.x.x.x:500 Exchange
type : Informational ISAKMP Version : 1.0 Flags : E (encryption) Cookies :
0x458f51017c4a446 -> 0xa582286a38ab6fb0 Message ID : 0x2f8ad085 Packet
length : 452 bytes # payloads : 2 Payloads: HASH (Hash) Payload data length
: 20 bytes N (Notification) Payload data length : 396 bytes Protocol ID :
ESP Notification : No proposal chosen


logs from cisco:

xxx#debug crypto isakmp
Crypto ISAKMP debugging is on
xxx#
2d23h: ISAKMP (0:134217749): received packet from 217.x.x.x dport 500 sport
500 Global (R) QM_IDLE
2d23h: ISAKMP: set new node -1473959992 to QM_IDLE
2d23h: ISAKMP:(0:21:SW:1): processing HASH payload. message ID = -1473959992
2d23h: ISAKMP:(0:21:SW:1): processing SA payload. message ID = -1473959992
2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
2d23h: ISAKMP: transform 1, ESP_AES
2d23h: ISAKMP:   attributes in transform:
2d23h: ISAKMP:      key length is 128
2d23h: ISAKMP:      authenticator is HMAC-MD5
2d23h: ISAKMP:      SA life type in seconds
2d23h: ISAKMP:      SA life duration (basic) of 3600
2d23h: ISAKMP:      encaps is 1 (Tunnel)
2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
2d23h: ISAKMP: transform 2, ESP_AES
2d23h: ISAKMP:   attributes in transform:
2d23h: ISAKMP:      key length is 128
2d23h: ISAKMP:      authenticator is HMAC-SHA
2d23h: ISAKMP:      SA life type in seconds
2d23h: ISAKMP:      SA life duration (basic) of 3600
2d23h: ISAKMP:      encaps is 1 (Tunnel)
2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
2d23h: ISAKMP: transform 3, ESP_3DES
2d23h: ISAKMP:   attributes in transform:
2d23h: ISAKMP:      authenticator is HMAC-MD5
2d23h: ISAKMP:      SA life type in seconds
2d23h: ISAKMP:      SA life duration (basic) of 3600
2d23h: ISAKMP:      encaps is 1 (Tunnel)
2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
2d23h: ISAKMP: transform 4, ESP_3DES
2d23h: ISAKMP:   attributes in transform:
2d23h: ISAKMP:      authenticator is HMAC-SHA
2d23h: ISAKMP:      SA life type in seconds
2d23h: ISAKMP:      SA life duration (basic) of 3600
2d23h: ISAKMP:      encaps is 1 (Tunnel)
2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
2d23h: ISAKMP: unknown ESP transform!
2d23h: ISAKMP:   attributes in transform:
2d23h: ISAKMP:      authenticator is HMAC-MD5
2d23h: ISAKMP:      SA life type in seconds
2d23h: ISAKMP:      SA life duration (basic) of 3600
2d23h: ISAKMP:      encaps is 1 (Tunnel)
2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
2d23h: ISAKMP: unknown ESP transform!
2d23h: ISAKMP:   attributes in transform:
2d23h: ISAKMP:      authenticator is HMAC-SHA
2d23h: ISAKMP:      SA life type in seconds
2d23h: ISAKMP:      SA life duration (basic) of 3600
2d23h: ISAKMP:      encaps is 1 (Tunnel)
2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
2d23h: ISAKMP: unknown ESP transform!
2d23h: ISAKMP:   attributes in transform:
2d23h: ISAKMP:      key length is 128
2d23h: ISAKMP:      authenticator is HMAC-MD5
2d23h: ISAKMP:      SA life type in seconds
2d23h: ISAKMP:      SA life duration (basic) of 3600
2d23h: ISAKMP:      encaps is 1 (Tunnel)
2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
2d23h: ISAKMP: unknown ESP transform!
2d23h: ISAKMP:   attributes in transform:
2d23h: ISAKMP:      key length is 128
2d23h: ISAKMP:      authenticator is HMAC-SHA
2d23h: ISAKMP:      SA life type in seconds
2d23h: ISAKMP:      SA life duration (basic) of 3600
2d23h: ISAKMP:      encaps is 1 (Tunnel)
2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
2d23h: ISAKMP: unknown ESP transform!
2d23h: ISAKMP:   attributes in transform:
2d23h: ISAKMP:      key length is 128
2d23h: ISAKMP:      authenticator is HMAC-MD5
2d23h: ISAKMP:      SA life type in seconds
2d23h: ISAKMP:      SA life duration (basic) of 3600
2d23h: ISAKMP:      encaps is 1 (Tunnel)
2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
2d23h: ISAKMP: unknown ESP transform!
2d23h: ISAKMP:   attributes in transform:
2d23h: ISAKMP:      key length is 128
2d23h: ISAKMP:      authenticator is HMAC-SHA
2d23h: ISAKMP:      SA life type in seconds
2d23h: ISAKMP:      SA life duration (basic) of 3600
2d23h: ISAKMP:      encaps is 1 (Tunnel)
2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
2d23h: ISAKMP:(0:21:SW:1): phase 2 SA policy not acceptable! (local 82.x.x.x
remote 217.x.x.x)
2d23h: ISAKMP: set new node 326922217 to QM_IDLE
2d23h: ISAKMP:(0:21:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 1691668640, message ID = 326922217
2d23h: ISAKMP:(0:21:SW:1): sending packet to 217.x.x.x my_port 500 peer_port
500 (R) QM_IDLE
2d23h: ISAKMP:(0:21:SW:1):purging node 326922217
2d23h: ISAKMP:(0:21:SW:1):deleting node -1473959992 error TRUE reason "QM
rejected"
2d23h: ISAKMP (0:134217749): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH:
for node -1473959992: state = IKE_QM_READY
2d23h: ISAKMP:(0:21:SW:1):Node -1473959992, Input = IKE_MESG_FROM_PEER,
IKE_QM_EXCH
2d23h: ISAKMP:(0:21:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_READY
2d23h: ISAKMP:(0:22:SW:1):purging node 124919870

cisco config

crypto isakmp policy 1
 encr aes
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key 123456 address 217.x.x.x no-xauth
crypto isakmp key 123456 address 85.x.x.x no-xauth
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set VPN esp-aes
!
crypto map xxx 10 ipsec-isakmp
 set peer 217.x.x.x
 set transform-set VPN
 match address 111
crypto map eon 20 ipsec-isakmp
 set peer 85.x.x.x
 set transform-set VPN-EON
 match address 112
!
----//----

xxx#sh crypto map tag xxx
Crypto Map "xxx" 10 ipsec-isakmp
        Peer = 217.x.x.x
        Extended IP access list 111
            access-list 111 permit ip 192.168.200.0 0.0.0.255 192.168.0.0
0.0.0.255
        Current peer: 217.x.x.x
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                VPN,
        }
Crypto Map "xxx" 20 ipsec-isakmp
        Peer = 85.x.x.x
        Extended IP access list 112
            access-list 112 permit ip 192.168.200.0 0.0.0.255 192.168.96.0
0.0.7.255
        Current peer: 85.x.x.x
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                VPN,
        }
        Interfaces using crypto map xxx:
                FastEthernet0/1

---//---

the dlink is a dfl-1600

any ideas? hammer is not possible because the dlink box is on the other side
of the ocean :)

mac
2008/12/12 Mario Spinthiras <spinthiras.mario at gmail.com>

> How about the actual problem so we can help there? Logs , errors?
>

From eimantas at occ.lt  Fri Dec 12 08:37:54 2008
From: eimantas at occ.lt (=?UTF-8?B?RWltYW50YXMgWmRhbmV2acSNaXVz?=)
Date: Fri, 12 Dec 2008 15:37:54 +0200
Subject: [c-nsp]  ASA5520 can't read from flash
Message-ID: <49426932.4000001@occ.lt>

Hi all,

i have a problem with my asa5520 internal flash. I cannot read any file 
from it.
After reboot asa cannot boot.

Is there a way to reformat flash and put new image on it?
Or can i use my external flash to run my asa?
Or is there other solution?

Thanks

Eimantas

From David.Lima at alphasys.com.bo  Fri Dec 12 10:40:59 2008
From: David.Lima at alphasys.com.bo (David Lima)
Date: Fri, 12 Dec 2008 11:40:59 -0400
Subject: [c-nsp] Cat6500 sup2 boot from PCMCIA
Message-ID: <EB9C8DD013C59D47BEEEC1A1DD7AC951858ED23623@exlpz.alphasys.bo>

Hi all, I have a Cat6500 x6k-sup2-2ge running an IOS software.

My problem is that I'm stuck in rommon mode after the IOS upgrade. Now I have A PCMCIA and I want to boot the new IOS from the PCMCIA.

I cannot format the PCMCIA from the rommon mode.

How can I format the PCMCIA? The only way is format from the target Catatalyst switch?

All these because I have an error about invalid magic number when I insert the PCMCIA card into the Supervisor2 slot in rommon mode.

Please I need your help,

Thanks in advance.

David




From jfitz at Princeton.EDU  Fri Dec 12 10:55:03 2008
From: jfitz at Princeton.EDU (Jeff Fitzwater)
Date: Fri, 12 Dec 2008 10:55:03 -0500
Subject: [c-nsp] High SNMP CPU with SXH.  Is  SXI any better?
Message-ID: <0616C55E-DF02-46D0-885A-A33429759938@princeton.edu>

	We are running 12.2SXH2a on sup720-CXL and have been having  
consistently high (80-100%) CPU on route processor when retrieving  
either the ARP table or the Bridge-mac table.   No matter what program  
we use HP NNM or an snmp script, the CPU route process goes from 20%  
to 90+% with the SNMP process being the top dog when you do a "sho  
proc cpu sort".

I have looked at every option on list and at CISCO but nothing  
resolves the problem.   It appears that internally the route processor  
is doing a lot of crunching to get this table data, specifically the  
ARP and Bridge Mac table.   I remember something about the format it's  
in and it had to be converted when retrieved with SNMP.


Q.   Does anybody know if there is any change with SXI and SNMP queries?

I also remember reading something about a different way to retrieve  
this data locally on the router and push it to a host, but cannot find  
any reference to it now.  Any ideas on this?




Thanks for any help.



Jeff Fitzwater
OIT Network Systems
Princeton University

From tkacprzynski at SpencerStuart.com  Fri Dec 12 10:57:53 2008
From: tkacprzynski at SpencerStuart.com (tkacprzynski at SpencerStuart.com)
Date: Fri, 12 Dec 2008 09:57:53 -0600
Subject: [c-nsp] Detect Upstream ISP's BGP problems.
In-Reply-To: <49426932.4000001@occ.lt>
Message-ID: <A8A11BA006DA57498FAC0A5668686504299D577E@usilwdex04.spencerstuart.com>

Hello,
I'm trying to figure out how to best configure peering with two ISPs.
Basically this is a dual providers setup. Both ISP will send me the
default route (I will set one with LOCAL PREF). My question is how would
I detect a routing problem with one ISP's bgp network and failover to
the other one? 

I know I could ask the ISPs to provide me a core route and use
conditional advertisement, which would work well for traffic coming
inbound, but what about outbound? How can I make the default route
disappear from an ISP that is having internal problems.


Thank you in advance for any help.

Tom

From RTeller at deltadentalwa.com  Fri Dec 12 11:07:34 2008
From: RTeller at deltadentalwa.com (Teller, Robert)
Date: Fri, 12 Dec 2008 08:07:34 -0800
Subject: [c-nsp] Cat6500 sup2 boot from PCMCIA
In-Reply-To: <EB9C8DD013C59D47BEEEC1A1DD7AC951858ED23623@exlpz.alphasys.bo>
References: <EB9C8DD013C59D47BEEEC1A1DD7AC951858ED23623@exlpz.alphasys.bo>
Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC019A2@tiger.deltadentalwa.com>

I ran into a similar problem and had to RMA a new sup/cf card from
cisco.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Lima
Sent: Friday, December 12, 2008 7:41 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cat6500 sup2 boot from PCMCIA

Hi all, I have a Cat6500 x6k-sup2-2ge running an IOS software.

My problem is that I'm stuck in rommon mode after the IOS upgrade. Now I
have A PCMCIA and I want to boot the new IOS from the PCMCIA.

I cannot format the PCMCIA from the rommon mode.

How can I format the PCMCIA? The only way is format from the target
Catatalyst switch?

All these because I have an error about invalid magic number when I
insert the PCMCIA card into the Supervisor2 slot in rommon mode.

Please I need your help,

Thanks in advance.

David



_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


#########################################################
The information contained in this e-mail and subsequent attachments may be privileged, 
confidential and protected from disclosure.  This transmission is intended for the sole 
use of the individual and entity to whom it is addressed.  If you are not the intended 
recipient, any dissemination, distribution or copying is strictly prohibited.  If you 
think that you have received this message in error, please e-mail the sender at the above 
e-mail address.
#########################################################


From mcgrath at fas.harvard.edu  Fri Dec 12 11:16:04 2008
From: mcgrath at fas.harvard.edu (Scott McGrath)
Date: Fri, 12 Dec 2008 11:16:04 -0500
Subject: [c-nsp] Cat6500 sup2 boot from PCMCIA
In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC019A2@tiger.deltadentalwa.com>
References: <EB9C8DD013C59D47BEEEC1A1DD7AC951858ED23623@exlpz.alphasys.bo>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC019A2@tiger.deltadentalwa.com>
Message-ID: <49428E44.2090907@fas.harvard.edu>

You can boot a sup2 from TFTP in ROMMON

Teller, Robert wrote:
> I ran into a similar problem and had to RMA a new sup/cf card from
> cisco.
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Lima
> Sent: Friday, December 12, 2008 7:41 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cat6500 sup2 boot from PCMCIA
>
> Hi all, I have a Cat6500 x6k-sup2-2ge running an IOS software.
>
> My problem is that I'm stuck in rommon mode after the IOS upgrade. Now I
> have A PCMCIA and I want to boot the new IOS from the PCMCIA.
>
> I cannot format the PCMCIA from the rommon mode.
>
> How can I format the PCMCIA? The only way is format from the target
> Catatalyst switch?
>
> All these because I have an error about invalid magic number when I
> insert the PCMCIA card into the Supervisor2 slot in rommon mode.
>
> Please I need your help,
>
> Thanks in advance.
>
> David
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> #########################################################
> The information contained in this e-mail and subsequent attachments may be privileged, 
> confidential and protected from disclosure.  This transmission is intended for the sole 
> use of the individual and entity to whom it is addressed.  If you are not the intended 
> recipient, any dissemination, distribution or copying is strictly prohibited.  If you 
> think that you have received this message in error, please e-mail the sender at the above 
> e-mail address.
> #########################################################
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   


From David.Lima at alphasys.com.bo  Fri Dec 12 11:28:28 2008
From: David.Lima at alphasys.com.bo (David Lima)
Date: Fri, 12 Dec 2008 12:28:28 -0400
Subject: [c-nsp] Cat6500 sup2 boot from PCMCIA
In-Reply-To: <49428E44.2090907@fas.harvard.edu>
Message-ID: <EB9C8DD013C59D47BEEEC1A1DD7AC951858ED2363C@exlpz.alphasys.bo>

Hi thanks for your response. I cannot see the tftpdnld from rommon mode or I'm missing something to boota n IOS from TFTP.
Thanks again guys.
David


-----Mensaje original-----
De: Scott McGrath [mailto:mcgrath at fas.harvard.edu]
Enviado el: Viernes, 12 de Diciembre de 2008 11:16 a.m.
Para: Teller, Robert
CC: David Lima; cisco-nsp at puck.nether.net
Asunto: Re: [c-nsp] Cat6500 sup2 boot from PCMCIA

You can boot a sup2 from TFTP in ROMMON

Teller, Robert wrote:
> I ran into a similar problem and had to RMA a new sup/cf card from
> cisco.
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Lima
> Sent: Friday, December 12, 2008 7:41 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cat6500 sup2 boot from PCMCIA
>
> Hi all, I have a Cat6500 x6k-sup2-2ge running an IOS software.
>
> My problem is that I'm stuck in rommon mode after the IOS upgrade. Now I
> have A PCMCIA and I want to boot the new IOS from the PCMCIA.
>
> I cannot format the PCMCIA from the rommon mode.
>
> How can I format the PCMCIA? The only way is format from the target
> Catatalyst switch?
>
> All these because I have an error about invalid magic number when I
> insert the PCMCIA card into the Supervisor2 slot in rommon mode.
>
> Please I need your help,
>
> Thanks in advance.
>
> David
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> #########################################################
> The information contained in this e-mail and subsequent attachments may be privileged,
> confidential and protected from disclosure.  This transmission is intended for the sole
> use of the individual and entity to whom it is addressed.  If you are not the intended
> recipient, any dissemination, distribution or copying is strictly prohibited.  If you
> think that you have received this message in error, please e-mail the sender at the above
> e-mail address.
> #########################################################
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>




__________ Information from ESET NOD32 Antivirus, version of virus signature database 3684 (20081211) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



__________ Information from ESET NOD32 Antivirus, version of virus signature database 3684 (20081211) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



From saku+cisco-nsp at ytti.fi  Fri Dec 12 11:41:33 2008
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Fri, 12 Dec 2008 18:41:33 +0200
Subject: [c-nsp] Detect Upstream ISP's BGP problems.
In-Reply-To: <A8A11BA006DA57498FAC0A5668686504299D577E@usilwdex04.spencerstuart.com>
References: <49426932.4000001@occ.lt>
	<A8A11BA006DA57498FAC0A5668686504299D577E@usilwdex04.spencerstuart.com>
Message-ID: <20081212164133.GA13286@mx.ytti.net>

On (2008-12-12 09:57 -0600), tkacprzynski at spencerstuart.com wrote:

> I know I could ask the ISPs to provide me a core route and use
> conditional advertisement, which would work well for traffic coming
> inbound, but what about outbound? How can I make the default route
> disappear from an ISP that is having internal problems.

Don't get default, get PA aggregate. And point static route
to that PA aggregate and the interface. If ISPs peering router
is separated from ISPs core, the PA aggregate disappears
and static default will be invalid, allowing you to 
converge to another path.

For more advanced stuff, you might want to look at 'PfR'
from cisco.

-- 
  ++ytti

From p.mayers at imperial.ac.uk  Fri Dec 12 11:50:26 2008
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Fri, 12 Dec 2008 16:50:26 +0000
Subject: [c-nsp] High SNMP CPU with SXH.  Is  SXI any better?
In-Reply-To: <0616C55E-DF02-46D0-885A-A33429759938@princeton.edu>
References: <0616C55E-DF02-46D0-885A-A33429759938@princeton.edu>
Message-ID: <49429652.4000009@imperial.ac.uk>

Jeff Fitzwater wrote:
> 	We are running 12.2SXH2a on sup720-CXL and have been having  
> consistently high (80-100%) CPU on route processor when retrieving  
> either the ARP table or the Bridge-mac table.   No matter what program  
> we use HP NNM or an snmp script, the CPU route process goes from 20%  
> to 90+% with the SNMP process being the top dog when you do a "sho  
> proc cpu sort".

How big is your ARP table? We see high-ish CPU usage with >6k entries, 
even on SXF. Identically configured routers with ~4k entries see much 
lower CPU usage.

There seems to be a non-linear growth in CPU usage for polling (the ARP 
table at least). I do have a TAC case open with Cisco (how bad is it 
going to be with ~10k entries?) but their response has been... poor.

There's some docs on the Cisco website from days of yore, advising 
people to enable CEF, because it provides lexically-sorted data 
structures allowing the ipNetToMedia table to be rendered quickly. 
Obviously this does not apply to 6500s.

I suspect the 6500s don't store the ARP table in OID-lexical order 
internally, and the CPU is having to sort the table every time. I 
suspect the same applies to the dot1dTpFdb table.

> 
> I have looked at every option on list and at CISCO but nothing  
> resolves the problem.   It appears that internally the route processor  
> is doing a lot of crunching to get this table data, specifically the  
> ARP and Bridge Mac table.   I remember something about the format it's  
> in and it had to be converted when retrieved with SNMP.
> 
> 
> Q.   Does anybody know if there is any change with SXI and SNMP queries?
> 
> I also remember reading something about a different way to retrieve  
> this data locally on the router and push it to a host, but cannot find  
> any reference to it now.  Any ideas on this?

There's some support for bulk data gathering

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/gdatacol.html

...however if (as I suspect) the

From dwcarder at wisc.edu  Fri Dec 12 11:53:02 2008
From: dwcarder at wisc.edu (Dale W. Carder)
Date: Fri, 12 Dec 2008 10:53:02 -0600
Subject: [c-nsp] High SNMP CPU with SXH.  Is  SXI any better?
In-Reply-To: <0616C55E-DF02-46D0-885A-A33429759938@princeton.edu>
References: <0616C55E-DF02-46D0-885A-A33429759938@princeton.edu>
Message-ID: <23CBC8DC-C2EF-4EB8-9FEB-757DDA478C5B@wisc.edu>

Hi Jeff,

On Dec 12, 2008, at 9:55 AM, Jeff Fitzwater wrote:
> 	We are running 12.2SXH2a on sup720-CXL and have been having  
> consistently high (80-100%) CPU on route processor when retrieving  
> either the ARP table or the Bridge-mac table.   No matter what  
> program we use HP NNM or an snmp script, the CPU route process goes  
> from 20% to 90+% with the SNMP process being the top dog when you do  
> a "sho proc cpu sort".

We see this too.  I'm guessing you also have a non-trivial
amount of directly connected hosts?

> It appears that internally the route processor is doing a lot of  
> crunching to get this table data, specifically the ARP and Bridge  
> Mac table.   I remember something about the format it's in and it  
> had to be converted when retrieved with SNMP.

See RFC 1905 4.2.2(1) which requires lexicographical ordering of
retrieved values.

So, if IOS stores the arp/cef/whatever datastructure in memory in
any other format, which seems likely, it would have to sort the
table every time to spit it out via snmp.

Now, this is of course compounded by the sup720 RP having a
processor that lags behind current commodity chips by at least
6 years.

> Q.   Does anybody know if there is any change with SXI and SNMP  
> queries?

I wouldn't expect anything to change unless the sorting algorithm
were dramatically improved or unless IOS specifically maintained this
table in a better fashion.

Maybe if Cisco hadn't alienated their customers with the 6500/7600
split, you would have an RSP720 today.

> I also remember reading something about a different way to retrieve  
> this data locally on the router and push it to a host, but cannot  
> find any reference to it now.  Any ideas on this?

I haven't looked into it, but perhaps you can find a cisco specific
mib, maybe cef or mls specific that doesn't have this performance
penalty?  Otherwise, I bet a query via clogin outperforms the snmp
table.

Dale

--
Dale W. Carder - Network Engineer
University of Wisconsin / WiscNet
http://net.doit.wisc.edu/~dwcarder


From tkacprzynski at SpencerStuart.com  Fri Dec 12 12:02:26 2008
From: tkacprzynski at SpencerStuart.com (tkacprzynski at SpencerStuart.com)
Date: Fri, 12 Dec 2008 11:02:26 -0600
Subject: [c-nsp] Detect Upstream ISP's BGP problems.
In-Reply-To: <20081212164133.GA13286@mx.ytti.net>
Message-ID: <A8A11BA006DA57498FAC0A5668686504299D57E4@usilwdex04.spencerstuart.com>

That sounds like a good idea. Thank you very much. 

What do you think of using conditional advertisement based on their
Route Reflector to advertise a default route? (I think the biggest
problem is that most ISPs might not want to do that correct?)

Thank you again.


Tom


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti
Sent: Friday, December 12, 2008 10:42 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Detect Upstream ISP's BGP problems.

On (2008-12-12 09:57 -0600), tkacprzynski at spencerstuart.com wrote:

> I know I could ask the ISPs to provide me a core route and use 
> conditional advertisement, which would work well for traffic coming 
> inbound, but what about outbound? How can I make the default route 
> disappear from an ISP that is having internal problems.

Don't get default, get PA aggregate. And point static route to that PA
aggregate and the interface. If ISPs peering router is separated from
ISPs core, the PA aggregate disappears and static default will be
invalid, allowing you to converge to another path.

For more advanced stuff, you might want to look at 'PfR'
from cisco.

--
  ++ytti
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From p.mayers at imperial.ac.uk  Fri Dec 12 12:25:59 2008
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Fri, 12 Dec 2008 17:25:59 +0000
Subject: [c-nsp] High SNMP CPU with SXH.  Is  SXI any better?
In-Reply-To: <23CBC8DC-C2EF-4EB8-9FEB-757DDA478C5B@wisc.edu>
References: <0616C55E-DF02-46D0-885A-A33429759938@princeton.edu>
	<23CBC8DC-C2EF-4EB8-9FEB-757DDA478C5B@wisc.edu>
Message-ID: <49429EA7.6060805@imperial.ac.uk>

> I haven't looked into it, but perhaps you can find a cisco specific
> mib, maybe cef or mls specific that doesn't have this performance

CISCO-SWITCH-ENGINE-MIB::cseCef* are the ones. However, they contain 
basically the entire FIB & adjacency entries. They're faster to walk, 
but their size can make the whole process slower :o(

> penalty?  Otherwise, I bet a query via clogin outperforms the snmp
> table.

It certainly does. ~10 seconds versus ~2min 30sec on our busiest router.

Cisco - Offering the very best in 1970s Network Management Technology...

From SIngram at clayton.com  Fri Dec 12 13:06:03 2008
From: SIngram at clayton.com (Scott Ingram)
Date: Fri, 12 Dec 2008 13:06:03 -0500
Subject: [c-nsp] ASA 5520 inside interface used for Clients Default Gateway
Message-ID: <A9604D7A0239984EAD184D9A42206FDE02E708D1@EXCHVS01.cgi.clayton.com>

I'm having issues when I point my clients DHCP lease gatway to the inside addr of the ASA ( they can not connect to any internal network the ASA has routes too. I validated from the ASA inside addr can see these networks "ping" and he recieves replies... So, I'm thinking the ASA is trying to nat the internal source ADDR when the source conects to him " internal side of the Asa" for the route next hop.


IMPORTANT NOTICE:

This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law.  If you have received this message in error, you are hereby notified that we do not consent to any reading, dissemination, distribution or copying of this message.  If you have received this communication in error, please notify the sender immediately and destroy the transmitted information.


From David.Lima at alphasys.com.bo  Fri Dec 12 13:07:54 2008
From: David.Lima at alphasys.com.bo (David Lima)
Date: Fri, 12 Dec 2008 14:07:54 -0400
Subject: [c-nsp] Cat6500 sup2 boot from PCMCIA
In-Reply-To: <49428E44.2090907@fas.harvard.edu>
Message-ID: <EB9C8DD013C59D47BEEEC1A1DD7AC951858ED2364B@exlpz.alphasys.bo>

Hi again, just one question. Is there a way to format the PCMCIA card from another device (A router or a PC). It because I don't have any othr supervisor2 to do this. It could be compatible?
Thanks for any suggesti?n.

David


-----Mensaje original-----
De: Scott McGrath [mailto:mcgrath at fas.harvard.edu]
Enviado el: Viernes, 12 de Diciembre de 2008 11:16 a.m.
Para: Teller, Robert
CC: David Lima; cisco-nsp at puck.nether.net
Asunto: Re: [c-nsp] Cat6500 sup2 boot from PCMCIA

You can boot a sup2 from TFTP in ROMMON

Teller, Robert wrote:
> I ran into a similar problem and had to RMA a new sup/cf card from
> cisco.
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Lima
> Sent: Friday, December 12, 2008 7:41 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cat6500 sup2 boot from PCMCIA
>
> Hi all, I have a Cat6500 x6k-sup2-2ge running an IOS software.
>
> My problem is that I'm stuck in rommon mode after the IOS upgrade. Now I
> have A PCMCIA and I want to boot the new IOS from the PCMCIA.
>
> I cannot format the PCMCIA from the rommon mode.
>
> How can I format the PCMCIA? The only way is format from the target
> Catatalyst switch?
>
> All these because I have an error about invalid magic number when I
> insert the PCMCIA card into the Supervisor2 slot in rommon mode.
>
> Please I need your help,
>
> Thanks in advance.
>
> David
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> #########################################################
> The information contained in this e-mail and subsequent attachments may be privileged,
> confidential and protected from disclosure.  This transmission is intended for the sole
> use of the individual and entity to whom it is addressed.  If you are not the intended
> recipient, any dissemination, distribution or copying is strictly prohibited.  If you
> think that you have received this message in error, please e-mail the sender at the above
> e-mail address.
> #########################################################
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>




__________ Information from ESET NOD32 Antivirus, version of virus signature database 3684 (20081211) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



__________ Information from ESET NOD32 Antivirus, version of virus signature database 3684 (20081211) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



From jfitz at Princeton.EDU  Fri Dec 12 13:29:21 2008
From: jfitz at Princeton.EDU (Jeff Fitzwater)
Date: Fri, 12 Dec 2008 13:29:21 -0500
Subject: [c-nsp] High SNMP CPU with SXH.  Is  SXI any better?
In-Reply-To: <49429EA7.6060805@imperial.ac.uk>
References: <0616C55E-DF02-46D0-885A-A33429759938@princeton.edu>
	<23CBC8DC-C2EF-4EB8-9FEB-757DDA478C5B@wisc.edu>
	<49429EA7.6060805@imperial.ac.uk>
Message-ID: <ECE38A94-4B4A-4E33-AF01-5B1EFF1A512A@Princeton.EDU>

On the router with the problem we have 18K entries and our HP NNM  
management platform can only use snmp to get  the ARP and bridge  
mib.   How in the world does CISCO do it with their net management  
products?  Hmm... Maybe it doesn't also.

So now I have two great management tools, NETFLOW and SNMP that I  
can't use.

Our next upgrades may not be CISCO and I know we are not the only ones.


Jeff Fitzwater
OIT Network systems
Princeton University


On Dec 12, 2008, at 12:25 PM, Phil Mayers wrote:

>> I haven't looked into it, but perhaps you can find a cisco specific
>> mib, maybe cef or mls specific that doesn't have this performance
>
> CISCO-SWITCH-ENGINE-MIB::cseCef* are the ones. However, they contain  
> basically the entire FIB & adjacency entries. They're faster to  
> walk, but their size can make the whole process slower :o(
>
>> penalty?  Otherwise, I bet a query via clogin outperforms the snmp
>> table.
>
> It certainly does. ~10 seconds versus ~2min 30sec on our busiest  
> router.
>
> Cisco - Offering the very best in 1970s Network Management  
> Technology...
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From cchurc05 at harris.com  Fri Dec 12 13:39:40 2008
From: cchurc05 at harris.com (Church, Charles)
Date: Fri, 12 Dec 2008 12:39:40 -0600
Subject: [c-nsp] Cat6500 sup2 boot from PCMCIA
In-Reply-To: <EB9C8DD013C59D47BEEEC1A1DD7AC951858ED2364B@exlpz.alphasys.bo>
References: <49428E44.2090907@fas.harvard.edu>
	<EB9C8DD013C59D47BEEEC1A1DD7AC951858ED2364B@exlpz.alphasys.bo>
Message-ID: <FA1BA229357DB640B944218F3585FECA01BF934D@mspe2k1.cs.myharris.net>

I think you can format the card (if it's the 64MB ATA card) in a PC running Windows, use FAT16 filesystem.  Copy the image to the card, and try to boot it from ROMMON.  Once running, you'll need to format the card in IOS (so the MONLIB (kind of like a boot sector) is put on there).  Then you can use Windows to copy the file again to the card (but don't format it again, obviously).  Then I think it should auto-boot.  If it's less than 64MB, I don't think Windows can recognize it as a disk drive without special drivers, which may or may not exist.  Make sure your ROMMON version is 7.1(1) if it is a 64MB card, can't recognize it without. 

Chuck

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Lima
Sent: Friday, December 12, 2008 1:08 PM
To: Scott McGrath; Teller, Robert
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cat6500 sup2 boot from PCMCIA


Hi again, just one question. Is there a way to format the PCMCIA card from another device (A router or a PC). It because I don't have any othr supervisor2 to do this. It could be compatible?
Thanks for any suggesti?n.

David


-----Mensaje original-----
De: Scott McGrath [mailto:mcgrath at fas.harvard.edu]
Enviado el: Viernes, 12 de Diciembre de 2008 11:16 a.m.
Para: Teller, Robert
CC: David Lima; cisco-nsp at puck.nether.net
Asunto: Re: [c-nsp] Cat6500 sup2 boot from PCMCIA

You can boot a sup2 from TFTP in ROMMON

Teller, Robert wrote:
> I ran into a similar problem and had to RMA a new sup/cf card from
> cisco.
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Lima
> Sent: Friday, December 12, 2008 7:41 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cat6500 sup2 boot from PCMCIA
>
> Hi all, I have a Cat6500 x6k-sup2-2ge running an IOS software.
>
> My problem is that I'm stuck in rommon mode after the IOS upgrade. Now I
> have A PCMCIA and I want to boot the new IOS from the PCMCIA.
>
> I cannot format the PCMCIA from the rommon mode.
>
> How can I format the PCMCIA? The only way is format from the target
> Catatalyst switch?
>
> All these because I have an error about invalid magic number when I
> insert the PCMCIA card into the Supervisor2 slot in rommon mode.
>
> Please I need your help,
>
> Thanks in advance.
>
> David
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> #########################################################
> The information contained in this e-mail and subsequent attachments may be privileged,
> confidential and protected from disclosure.  This transmission is intended for the sole
> use of the individual and entity to whom it is addressed.  If you are not the intended
> recipient, any dissemination, distribution or copying is strictly prohibited.  If you
> think that you have received this message in error, please e-mail the sender at the above
> e-mail address.
> #########################################################
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>




__________ Information from ESET NOD32 Antivirus, version of virus signature database 3684 (20081211) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



__________ Information from ESET NOD32 Antivirus, version of virus signature database 3684 (20081211) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From David.Lima at alphasys.com.bo  Fri Dec 12 13:47:10 2008
From: David.Lima at alphasys.com.bo (David Lima)
Date: Fri, 12 Dec 2008 14:47:10 -0400
Subject: [c-nsp] Cat6500 sup2 boot from PCMCIA
In-Reply-To: <FA1BA229357DB640B944218F3585FECA01BF934D@mspe2k1.cs.myharris.net>
Message-ID: <EB9C8DD013C59D47BEEEC1A1DD7AC951858ED2365A@exlpz.alphasys.bo>

Thanks a lot Charles for your response. I tried your suggestion but when I boot from my slot0:IOS_IMAGE I have a bad file magic number error.
Do I missing anything in the Rommon configuration?
        Rommon>boot slot0:IOS_IMAGE
Thanks again Charles.
David.


-----Mensaje original-----
De: Church, Charles [mailto:cchurc05 at harris.com]
Enviado el: Viernes, 12 de Diciembre de 2008 01:40 p.m.
Para: David Lima
CC: cisco-nsp at puck.nether.net
Asunto: RE: [c-nsp] Cat6500 sup2 boot from PCMCIA

I think you can format the card (if it's the 64MB ATA card) in a PC running Windows, use FAT16 filesystem.  Copy the image to the card, and try to boot it from ROMMON.  Once running, you'll need to format the card in IOS (so the MONLIB (kind of like a boot sector) is put on there).  Then you can use Windows to copy the file again to the card (but don't format it again, obviously).  Then I think it should auto-boot.  If it's less than 64MB, I don't think Windows can recognize it as a disk drive without special drivers, which may or may not exist.  Make sure your ROMMON version is 7.1(1) if it is a 64MB card, can't recognize it without.

Chuck

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Lima
Sent: Friday, December 12, 2008 1:08 PM
To: Scott McGrath; Teller, Robert
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cat6500 sup2 boot from PCMCIA


Hi again, just one question. Is there a way to format the PCMCIA card from another device (A router or a PC). It because I don't have any othr supervisor2 to do this. It could be compatible?
Thanks for any suggesti?n.

David


-----Mensaje original-----
De: Scott McGrath [mailto:mcgrath at fas.harvard.edu]
Enviado el: Viernes, 12 de Diciembre de 2008 11:16 a.m.
Para: Teller, Robert
CC: David Lima; cisco-nsp at puck.nether.net
Asunto: Re: [c-nsp] Cat6500 sup2 boot from PCMCIA

You can boot a sup2 from TFTP in ROMMON

Teller, Robert wrote:
> I ran into a similar problem and had to RMA a new sup/cf card from
> cisco.
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Lima
> Sent: Friday, December 12, 2008 7:41 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cat6500 sup2 boot from PCMCIA
>
> Hi all, I have a Cat6500 x6k-sup2-2ge running an IOS software.
>
> My problem is that I'm stuck in rommon mode after the IOS upgrade. Now I
> have A PCMCIA and I want to boot the new IOS from the PCMCIA.
>
> I cannot format the PCMCIA from the rommon mode.
>
> How can I format the PCMCIA? The only way is format from the target
> Catatalyst switch?
>
> All these because I have an error about invalid magic number when I
> insert the PCMCIA card into the Supervisor2 slot in rommon mode.
>
> Please I need your help,
>
> Thanks in advance.
>
> David
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> #########################################################
> The information contained in this e-mail and subsequent attachments may be privileged,
> confidential and protected from disclosure.  This transmission is intended for the sole
> use of the individual and entity to whom it is addressed.  If you are not the intended
> recipient, any dissemination, distribution or copying is strictly prohibited.  If you
> think that you have received this message in error, please e-mail the sender at the above
> e-mail address.
> #########################################################
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>




__________ Information from ESET NOD32 Antivirus, version of virus signature database 3684 (20081211) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



__________ Information from ESET NOD32 Antivirus, version of virus signature database 3684 (20081211) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



__________ Information from ESET NOD32 Antivirus, version of virus signature database 3684 (20081211) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



__________ Information from ESET NOD32 Antivirus, version of virus signature database 3684 (20081211) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



From cchurc05 at harris.com  Fri Dec 12 13:54:29 2008
From: cchurc05 at harris.com (Church, Charles)
Date: Fri, 12 Dec 2008 12:54:29 -0600
Subject: [c-nsp] Cat6500 sup2 boot from PCMCIA
In-Reply-To: <EB9C8DD013C59D47BEEEC1A1DD7AC951858ED2365A@exlpz.alphasys.bo>
References: <FA1BA229357DB640B944218F3585FECA01BF934D@mspe2k1.cs.myharris.net>
	<EB9C8DD013C59D47BEEEC1A1DD7AC951858ED2365A@exlpz.alphasys.bo>
Message-ID: <FA1BA229357DB640B944218F3585FECA01BF9368@mspe2k1.cs.myharris.net>

Is it a 64MB card?  If so, use 'disk0' in place of 'slot0'. 


Chuck Church
Principal Network Engineer, CCIE #8776
Harris Information Technology Services
EDS Contractor - Navy Marine Corps Intranet (NMCI)
1210 N. Parker Rd. | Greenville, SC 29609 
Office: 864-335-9473 | Cell: 864-266-3978


-----Original Message-----
From: David Lima [mailto:David.Lima at alphasys.com.bo] 
Sent: Friday, December 12, 2008 1:47 PM
To: Church, Charles
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Cat6500 sup2 boot from PCMCIA


Thanks a lot Charles for your response. I tried your suggestion but when I boot from my slot0:IOS_IMAGE I have a bad file magic number error.
Do I missing anything in the Rommon configuration?
        Rommon>boot slot0:IOS_IMAGE
Thanks again Charles.
David.


-----Mensaje original-----
De: Church, Charles [mailto:cchurc05 at harris.com]
Enviado el: Viernes, 12 de Diciembre de 2008 01:40 p.m.
Para: David Lima
CC: cisco-nsp at puck.nether.net
Asunto: RE: [c-nsp] Cat6500 sup2 boot from PCMCIA

I think you can format the card (if it's the 64MB ATA card) in a PC running Windows, use FAT16 filesystem.  Copy the image to the card, and try to boot it from ROMMON.  Once running, you'll need to format the card in IOS (so the MONLIB (kind of like a boot sector) is put on there).  Then you can use Windows to copy the file again to the card (but don't format it again, obviously).  Then I think it should auto-boot.  If it's less than 64MB, I don't think Windows can recognize it as a disk drive without special drivers, which may or may not exist.  Make sure your ROMMON version is 7.1(1) if it is a 64MB card, can't recognize it without.

Chuck

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Lima
Sent: Friday, December 12, 2008 1:08 PM
To: Scott McGrath; Teller, Robert
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cat6500 sup2 boot from PCMCIA


Hi again, just one question. Is there a way to format the PCMCIA card from another device (A router or a PC). It because I don't have any othr supervisor2 to do this. It could be compatible?
Thanks for any suggesti?n.

David


-----Mensaje original-----
De: Scott McGrath [mailto:mcgrath at fas.harvard.edu]
Enviado el: Viernes, 12 de Diciembre de 2008 11:16 a.m.
Para: Teller, Robert
CC: David Lima; cisco-nsp at puck.nether.net
Asunto: Re: [c-nsp] Cat6500 sup2 boot from PCMCIA

You can boot a sup2 from TFTP in ROMMON

Teller, Robert wrote:
> I ran into a similar problem and had to RMA a new sup/cf card from
> cisco.
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Lima
> Sent: Friday, December 12, 2008 7:41 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cat6500 sup2 boot from PCMCIA
>
> Hi all, I have a Cat6500 x6k-sup2-2ge running an IOS software.
>
> My problem is that I'm stuck in rommon mode after the IOS upgrade. Now I
> have A PCMCIA and I want to boot the new IOS from the PCMCIA.
>
> I cannot format the PCMCIA from the rommon mode.
>
> How can I format the PCMCIA? The only way is format from the target
> Catatalyst switch?
>
> All these because I have an error about invalid magic number when I
> insert the PCMCIA card into the Supervisor2 slot in rommon mode.
>
> Please I need your help,
>
> Thanks in advance.
>
> David
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> #########################################################
> The information contained in this e-mail and subsequent attachments may be privileged,
> confidential and protected from disclosure.  This transmission is intended for the sole
> use of the individual and entity to whom it is addressed.  If you are not the intended
> recipient, any dissemination, distribution or copying is strictly prohibited.  If you
> think that you have received this message in error, please e-mail the sender at the above
> e-mail address.
> #########################################################
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>




__________ Information from ESET NOD32 Antivirus, version of virus signature database 3684 (20081211) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



__________ Information from ESET NOD32 Antivirus, version of virus signature database 3684 (20081211) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



__________ Information from ESET NOD32 Antivirus, version of virus signature database 3684 (20081211) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



__________ Information from ESET NOD32 Antivirus, version of virus signature database 3684 (20081211) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



From David.Lima at alphasys.com.bo  Fri Dec 12 13:58:17 2008
From: David.Lima at alphasys.com.bo (David Lima)
Date: Fri, 12 Dec 2008 14:58:17 -0400
Subject: [c-nsp] Cat6500 sup2 boot from PCMCIA
In-Reply-To: <FA1BA229357DB640B944218F3585FECA01BF9368@mspe2k1.cs.myharris.net>
Message-ID: <EB9C8DD013C59D47BEEEC1A1DD7AC951858ED2365F@exlpz.alphasys.bo>

Hi Charles, I really appreciate your time.
I Have two PCMCIA cards:

        - ATA FLASH Card Viking 48MB
        - ATA FLASH Card SanDisk 48MB

Thanks again.
David

-----Mensaje original-----
De: Church, Charles [mailto:cchurc05 at harris.com]
Enviado el: Viernes, 12 de Diciembre de 2008 01:54 p.m.
Para: David Lima
CC: cisco-nsp at puck.nether.net
Asunto: RE: [c-nsp] Cat6500 sup2 boot from PCMCIA

Is it a 64MB card?  If so, use 'disk0' in place of 'slot0'.


Chuck Church
Principal Network Engineer, CCIE #8776
Harris Information Technology Services
EDS Contractor - Navy Marine Corps Intranet (NMCI)
1210 N. Parker Rd. | Greenville, SC 29609
Office: 864-335-9473 | Cell: 864-266-3978


-----Original Message-----
From: David Lima [mailto:David.Lima at alphasys.com.bo]
Sent: Friday, December 12, 2008 1:47 PM
To: Church, Charles
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Cat6500 sup2 boot from PCMCIA


Thanks a lot Charles for your response. I tried your suggestion but when I boot from my slot0:IOS_IMAGE I have a bad file magic number error.
Do I missing anything in the Rommon configuration?
        Rommon>boot slot0:IOS_IMAGE
Thanks again Charles.
David.


-----Mensaje original-----
De: Church, Charles [mailto:cchurc05 at harris.com]
Enviado el: Viernes, 12 de Diciembre de 2008 01:40 p.m.
Para: David Lima
CC: cisco-nsp at puck.nether.net
Asunto: RE: [c-nsp] Cat6500 sup2 boot from PCMCIA

I think you can format the card (if it's the 64MB ATA card) in a PC running Windows, use FAT16 filesystem.  Copy the image to the card, and try to boot it from ROMMON.  Once running, you'll need to format the card in IOS (so the MONLIB (kind of like a boot sector) is put on there).  Then you can use Windows to copy the file again to the card (but don't format it again, obviously).  Then I think it should auto-boot.  If it's less than 64MB, I don't think Windows can recognize it as a disk drive without special drivers, which may or may not exist.  Make sure your ROMMON version is 7.1(1) if it is a 64MB card, can't recognize it without.

Chuck

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Lima
Sent: Friday, December 12, 2008 1:08 PM
To: Scott McGrath; Teller, Robert
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cat6500 sup2 boot from PCMCIA


Hi again, just one question. Is there a way to format the PCMCIA card from another device (A router or a PC). It because I don't have any othr supervisor2 to do this. It could be compatible?
Thanks for any suggesti?n.

David


-----Mensaje original-----
De: Scott McGrath [mailto:mcgrath at fas.harvard.edu]
Enviado el: Viernes, 12 de Diciembre de 2008 11:16 a.m.
Para: Teller, Robert
CC: David Lima; cisco-nsp at puck.nether.net
Asunto: Re: [c-nsp] Cat6500 sup2 boot from PCMCIA

You can boot a sup2 from TFTP in ROMMON

Teller, Robert wrote:
> I ran into a similar problem and had to RMA a new sup/cf card from
> cisco.
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Lima
> Sent: Friday, December 12, 2008 7:41 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cat6500 sup2 boot from PCMCIA
>
> Hi all, I have a Cat6500 x6k-sup2-2ge running an IOS software.
>
> My problem is that I'm stuck in rommon mode after the IOS upgrade. Now I
> have A PCMCIA and I want to boot the new IOS from the PCMCIA.
>
> I cannot format the PCMCIA from the rommon mode.
>
> How can I format the PCMCIA? The only way is format from the target
> Catatalyst switch?
>
> All these because I have an error about invalid magic number when I
> insert the PCMCIA card into the Supervisor2 slot in rommon mode.
>
> Please I need your help,
>
> Thanks in advance.
>
> David
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> #########################################################
> The information contained in this e-mail and subsequent attachments may be privileged,
> confidential and protected from disclosure.  This transmission is intended for the sole
> use of the individual and entity to whom it is addressed.  If you are not the intended
> recipient, any dissemination, distribution or copying is strictly prohibited.  If you
> think that you have received this message in error, please e-mail the sender at the above
> e-mail address.
> #########################################################
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>




__________ Information from ESET NOD32 Antivirus, version of virus signature database 3684 (20081211) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



__________ Information from ESET NOD32 Antivirus, version of virus signature database 3684 (20081211) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



__________ Information from ESET NOD32 Antivirus, version of virus signature database 3684 (20081211) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



__________ Information from ESET NOD32 Antivirus, version of virus signature database 3684 (20081211) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com





__________ Information from ESET NOD32 Antivirus, version of virus signature database 3684 (20081211) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



From chloekcy2000 at yahoo.ca  Fri Dec 12 14:05:15 2008
From: chloekcy2000 at yahoo.ca (chloe K)
Date: Fri, 12 Dec 2008 14:05:15 -0500 (EST)
Subject: [c-nsp] suddenly lost telnet connection in switch
Message-ID: <66563.50414.qm@web57411.mail.re1.yahoo.com>

Hi 
   
  I am doing the following access-list for www to restrict to switch http access
  but when I apply it in the interface, i suddenly lost telnet connection.
  Why?
   
   
  Extended IP access list 110
    permit tcp 192.168.0.0 0.255.255.255 any eq www
    permit tcp 172.16.0.0 0.255.255.255 any eq www
    permit tcp 10.0.0.0 0.255.255.255 any eq www
    deny tcp any eq www any
    deny tcp any eq www any log
  
switch(config)#interface VLAN1
  switch(config-if)#ip access-group 110 in
switch(config-if)#


       
---------------------------------
Now with a new friend-happy design! Try the new Yahoo! Canada Messenger

From David.Lima at alphasys.com.bo  Fri Dec 12 14:25:54 2008
From: David.Lima at alphasys.com.bo (David Lima)
Date: Fri, 12 Dec 2008 15:25:54 -0400
Subject: [c-nsp] Cat6500 sup2 boot from PCMCIA
Message-ID: <EB9C8DD013C59D47BEEEC1A1DD7AC951858ED2366A@exlpz.alphasys.bo>



-----Mensaje original-----
De: David Lima
Enviado el: Viernes, 12 de Diciembre de 2008 03:09 p.m.
Para: 'Church, Charles'
Asunto: RE: [c-nsp] Cat6500 sup2 boot from PCMCIA

Hi Charles, these cards was working on cisco 7200 routers. Just I think that I can load a new image in one of these cards and boot from the rommon mode.
I can see both slots: slot0 and disk0 but I can't see the stored IOS because the invalid magic number error.

Thanks again
David


-----Mensaje original-----
De: Church, Charles [mailto:cchurc05 at harris.com]
Enviado el: Viernes, 12 de Diciembre de 2008 02:03 p.m.
Para: David Lima
Asunto: RE: [c-nsp] Cat6500 sup2 boot from PCMCIA

Have those cards ever worked in that device?  Can you do a 'dev' in ROMMON, and see 'slot0' or 'disk0' listed?  Can you do a 'dir' on that device listed?  I don't recognize that as a normal size flash card for a Sup2.

Chuck

-----Original Message-----
From: David Lima [mailto:David.Lima at alphasys.com.bo]
Sent: Friday, December 12, 2008 1:58 PM
To: Church, Charles
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Cat6500 sup2 boot from PCMCIA


Hi Charles, I really appreciate your time.
I Have two PCMCIA cards:

        - ATA FLASH Card Viking 48MB
        - ATA FLASH Card SanDisk 48MB

Thanks again.
David

-----Mensaje original-----
De: Church, Charles [mailto:cchurc05 at harris.com]
Enviado el: Viernes, 12 de Diciembre de 2008 01:54 p.m.
Para: David Lima
CC: cisco-nsp at puck.nether.net
Asunto: RE: [c-nsp] Cat6500 sup2 boot from PCMCIA

Is it a 64MB card?  If so, use 'disk0' in place of 'slot0'.


Chuck Church
Principal Network Engineer, CCIE #8776
Harris Information Technology Services
EDS Contractor - Navy Marine Corps Intranet (NMCI)
1210 N. Parker Rd. | Greenville, SC 29609
Office: 864-335-9473 | Cell: 864-266-3978


-----Original Message-----
From: David Lima [mailto:David.Lima at alphasys.com.bo]
Sent: Friday, December 12, 2008 1:47 PM
To: Church, Charles
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Cat6500 sup2 boot from PCMCIA


Thanks a lot Charles for your response. I tried your suggestion but when I boot from my slot0:IOS_IMAGE I have a bad file magic number error.
Do I missing anything in the Rommon configuration?
        Rommon>boot slot0:IOS_IMAGE
Thanks again Charles.
David.


-----Mensaje original-----
De: Church, Charles [mailto:cchurc05 at harris.com]
Enviado el: Viernes, 12 de Diciembre de 2008 01:40 p.m.
Para: David Lima
CC: cisco-nsp at puck.nether.net
Asunto: RE: [c-nsp] Cat6500 sup2 boot from PCMCIA

I think you can format the card (if it's the 64MB ATA card) in a PC running Windows, use FAT16 filesystem.  Copy the image to the card, and try to boot it from ROMMON.  Once running, you'll need to format the card in IOS (so the MONLIB (kind of like a boot sector) is put on there).  Then you can use Windows to copy the file again to the card (but don't format it again, obviously).  Then I think it should auto-boot.  If it's less than 64MB, I don't think Windows can recognize it as a disk drive without special drivers, which may or may not exist.  Make sure your ROMMON version is 7.1(1) if it is a 64MB card, can't recognize it without.

Chuck

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Lima
Sent: Friday, December 12, 2008 1:08 PM
To: Scott McGrath; Teller, Robert
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cat6500 sup2 boot from PCMCIA


Hi again, just one question. Is there a way to format the PCMCIA card from another device (A router or a PC). It because I don't have any othr supervisor2 to do this. It could be compatible?
Thanks for any suggesti?n.

David


-----Mensaje original-----
De: Scott McGrath [mailto:mcgrath at fas.harvard.edu]
Enviado el: Viernes, 12 de Diciembre de 2008 11:16 a.m.
Para: Teller, Robert
CC: David Lima; cisco-nsp at puck.nether.net
Asunto: Re: [c-nsp] Cat6500 sup2 boot from PCMCIA

You can boot a sup2 from TFTP in ROMMON

Teller, Robert wrote:
> I ran into a similar problem and had to RMA a new sup/cf card from
> cisco.
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Lima
> Sent: Friday, December 12, 2008 7:41 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cat6500 sup2 boot from PCMCIA
>
> Hi all, I have a Cat6500 x6k-sup2-2ge running an IOS software.
>
> My problem is that I'm stuck in rommon mode after the IOS upgrade. Now I
> have A PCMCIA and I want to boot the new IOS from the PCMCIA.
>
> I cannot format the PCMCIA from the rommon mode.
>
> How can I format the PCMCIA? The only way is format from the target
> Catatalyst switch?
>
> All these because I have an error about invalid magic number when I
> insert the PCMCIA card into the Supervisor2 slot in rommon mode.
>
> Please I need your help,
>
> Thanks in advance.
>
> David
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> #########################################################
> The information contained in this e-mail and subsequent attachments may be privileged,
> confidential and protected from disclosure.  This transmission is intended for the sole
> use of the individual and entity to whom it is addressed.  If you are not the intended
> recipient, any dissemination, distribution or copying is strictly prohibited.  If you
> think that you have received this message in error, please e-mail the sender at the above
> e-mail address.
> #########################################################
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>




__________ Information from ESET NOD32 Antivirus, version of virus signature database 3684 (20081211) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



__________ Information from ESET NOD32 Antivirus, version of virus signature database 3684 (20081211) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



__________ Information from ESET NOD32 Antivirus, version of virus signature database 3684 (20081211) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



__________ Information from ESET NOD32 Antivirus, version of virus signature database 3684 (20081211) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com





__________ Information from ESET NOD32 Antivirus, version of virus signature database 3684 (20081211) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com





From RTeller at deltadentalwa.com  Fri Dec 12 14:26:11 2008
From: RTeller at deltadentalwa.com (Teller, Robert)
Date: Fri, 12 Dec 2008 11:26:11 -0800
Subject: [c-nsp] suddenly lost telnet connection in switch
In-Reply-To: <66563.50414.qm@web57411.mail.re1.yahoo.com>
References: <66563.50414.qm@web57411.mail.re1.yahoo.com>
Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC019B4@tiger.deltadentalwa.com>

Try this
  Extended IP access list 110
    permit tcp 192.168.0.0 0.255.255.255 [Vlan 1 ip] eq www
    permit tcp 172.16.0.0 0.255.255.255 [Vlan 1 ip] eq www
    permit tcp 10.0.0.0 0.255.255.255 [Vlan 1 ip] eq www
    permit tcp [ip address] [Vlan 1 ip] eq telnet
    deny tcp any eq www any log


  Extended IP access list 110
    permit tcp 192.168.0.0 0.255.255.255 any eq www
    permit tcp 172.16.0.0 0.255.255.255 any eq www
    permit tcp 10.0.0.0 0.255.255.255 any eq www
    deny tcp any eq www any
    deny tcp any eq www any log [your log is after your www deny so it
won't log anything]

You should be using https and ssh instead of http and telnet.

When using an access-list all traffic is explicitly denied.




-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of chloe K
Sent: Friday, December 12, 2008 11:05 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] suddenly lost telnet connection in switch

Hi 
   
  I am doing the following access-list for www to restrict to switch
http access
  but when I apply it in the interface, i suddenly lost telnet
connection.
  Why?
   
   
  Extended IP access list 110
    permit tcp 192.168.0.0 0.255.255.255 any eq www
    permit tcp 172.16.0.0 0.255.255.255 any eq www
    permit tcp 10.0.0.0 0.255.255.255 any eq www
    deny tcp any eq www any
    deny tcp any eq www any log
  
switch(config)#interface VLAN1
  switch(config-if)#ip access-group 110 in
switch(config-if)#


       
---------------------------------
Now with a new friend-happy design! Try the new Yahoo! Canada Messenger
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


#########################################################
The information contained in this e-mail and subsequent attachments may be privileged, 
confidential and protected from disclosure.  This transmission is intended for the sole 
use of the individual and entity to whom it is addressed.  If you are not the intended 
recipient, any dissemination, distribution or copying is strictly prohibited.  If you 
think that you have received this message in error, please e-mail the sender at the above 
e-mail address.
#########################################################


From streiner at cluebyfour.org  Fri Dec 12 14:28:27 2008
From: streiner at cluebyfour.org (Justin M. Streiner)
Date: Fri, 12 Dec 2008 14:28:27 -0500 (EST)
Subject: [c-nsp] suddenly lost telnet connection in switch
In-Reply-To: <66563.50414.qm@web57411.mail.re1.yahoo.com>
References: <66563.50414.qm@web57411.mail.re1.yahoo.com>
Message-ID: <Pine.LNX.4.64.0812121422410.25297@whammy.cluebyfour.org>

On Fri, 12 Dec 2008, chloe K wrote:

>  I am doing the following access-list for www to restrict to switch http access
>  but when I apply it in the interface, i suddenly lost telnet connection.
>  Why?
>
>  Extended IP access list 110
>    permit tcp 192.168.0.0 0.255.255.255 any eq www
>    permit tcp 172.16.0.0 0.255.255.255 any eq www
>    permit tcp 10.0.0.0 0.255.255.255 any eq www
>    deny tcp any eq www any
>    deny tcp any eq www any log

You need to permit telnet connections.  The ACL above only deals with HTTP 
connections.  Also, at the bottom of most packet-filtering ACLs like this, 
there is an implicit "deny any", so if packet doesn't match against any of 
your explicitly defined ACL rules, it will fall to that implicit "deny 
any" and get dropped.

jms

From RWerber at epiknetworks.com  Fri Dec 12 14:28:54 2008
From: RWerber at epiknetworks.com (Ryan Werber)
Date: Fri, 12 Dec 2008 14:28:54 -0500
Subject: [c-nsp] suddenly lost telnet connection in switch
References: <66563.50414.qm@web57411.mail.re1.yahoo.com>
Message-ID: <4D58C7B4943F874BA4CB5D68A79240605FC7AA@Epikserver2.Epik.local>

The default is to deny. You would have to put a permit tcp any any in
first to change that behavior.




-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of chloe K
Sent: Friday, December 12, 2008 11:05 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] suddenly lost telnet connection in switch

Hi 
   
  I am doing the following access-list for www to restrict to switch
http access
  but when I apply it in the interface, i suddenly lost telnet
connection.
  Why?
   
   
  Extended IP access list 110
    permit tcp 192.168.0.0 0.255.255.255 any eq www
    permit tcp 172.16.0.0 0.255.255.255 any eq www
    permit tcp 10.0.0.0 0.255.255.255 any eq www
    deny tcp any eq www any
    deny tcp any eq www any log
  
switch(config)#interface VLAN1
  switch(config-if)#ip access-group 110 in
switch(config-if)#


From pzdevans at gmail.com  Fri Dec 12 14:30:49 2008
From: pzdevans at gmail.com (Dan Evans)
Date: Fri, 12 Dec 2008 14:30:49 -0500
Subject: [c-nsp] suddenly lost telnet connection in switch
In-Reply-To: <66563.50414.qm@web57411.mail.re1.yahoo.com>
References: <66563.50414.qm@web57411.mail.re1.yahoo.com>
Message-ID: <677ac06c0812121130k38b9d6e9yc464c33ace311ee6@mail.gmail.com>

At the end of an access list is an implicit "deny all" statement. If you
don't account for telnet traffic in the acl then it gets dropped.

The access list example you used effectively states:

Allow port 80 traffic from source blocks 192/8, 172/8, and 10/8. Drop
*everything* else.




On Fri, Dec 12, 2008 at 2:05 PM, chloe K <chloekcy2000 at yahoo.ca> wrote:

> Hi
>
>  I am doing the following access-list for www to restrict to switch http
> access
>  but when I apply it in the interface, i suddenly lost telnet connection.
>  Why?
>
>
>  Extended IP access list 110
>    permit tcp 192.168.0.0 0.255.255.255 any eq www
>    permit tcp 172.16.0.0 0.255.255.255 any eq www
>    permit tcp 10.0.0.0 0.255.255.255 any eq www
>    deny tcp any eq www any
>    deny tcp any eq www any log
>
> switch(config)#interface VLAN1
>  switch(config-if)#ip access-group 110 in
> switch(config-if)#
>
>
>
> ---------------------------------
> Now with a new friend-happy design! Try the new Yahoo! Canada Messenger
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From justin at justinshore.com  Fri Dec 12 14:33:30 2008
From: justin at justinshore.com (Justin Shore)
Date: Fri, 12 Dec 2008 13:33:30 -0600
Subject: [c-nsp] IPSec between Cisco and D-Link
In-Reply-To: <88dfbf880812120455p2a276a9bve5f0439d47f11680@mail.gmail.com>
References: <88dfbf880812110713m472d46d2ufae29e265a181a7d@mail.gmail.com>	<4f890e580812111901p475c3975g2cc8152deee48ef1@mail.gmail.com>
	<88dfbf880812120455p2a276a9bve5f0439d47f11680@mail.gmail.com>
Message-ID: <4942BC8A.8040106@justinshore.com>

It looks like you have a phase 2 problem.  Your IPSec transform-set 
isn't matching up with what the D-Link is offering.  Try changing the 
transform-set to something more useful like this:

crypto ipsec transform-set encraes128md5 esp-aes 128 esp-md5-hmac

It would be better if you used AES256.

crypto ipsec transform-set encraes256md5 esp-aes 256 esp-md5-hmac

These are good fallback transform-sets if need be.

crypto ipsec transform-set encr3dessha esp-3des esp-sha-hmac
crypto ipsec transform-set encr3dessha-gre esp-3des esp-sha-hmac


Don't forget to update your crypto maps with the name of the 
transform-set you chose to use.  Also, I would not recommend messing 
with the lifetime values unless the remote end requires it.

Justin



twisted mac wrote:
> Seems fair enough :)
> 
> logs from dlink
> 
>    2008-12-11 17:30:21: IkeSnoop: Received IKE packet from
> 82.x.x.x:500 Exchange
> type : Informational ISAKMP Version : 1.0 Flags : E (encryption) Cookies :
> 0x458f51017c4a446 -> 0xa582286a38ab6fb0 Message ID : 0x2f8ad085 Packet
> length : 452 bytes # payloads : 2 Payloads: HASH (Hash) Payload data length
> : 20 bytes N (Notification) Payload data length : 396 bytes Protocol ID :
> ESP Notification : No proposal chosen
> 
> 
> logs from cisco:
> 
> xxx#debug crypto isakmp
> Crypto ISAKMP debugging is on
> xxx#
> 2d23h: ISAKMP (0:134217749): received packet from 217.x.x.x dport 500 sport
> 500 Global (R) QM_IDLE
> 2d23h: ISAKMP: set new node -1473959992 to QM_IDLE
> 2d23h: ISAKMP:(0:21:SW:1): processing HASH payload. message ID = -1473959992
> 2d23h: ISAKMP:(0:21:SW:1): processing SA payload. message ID = -1473959992
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: transform 1, ESP_AES
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:      key length is 128
> 2d23h: ISAKMP:      authenticator is HMAC-MD5
> 2d23h: ISAKMP:      SA life type in seconds
> 2d23h: ISAKMP:      SA life duration (basic) of 3600
> 2d23h: ISAKMP:      encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: transform 2, ESP_AES
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:      key length is 128
> 2d23h: ISAKMP:      authenticator is HMAC-SHA
> 2d23h: ISAKMP:      SA life type in seconds
> 2d23h: ISAKMP:      SA life duration (basic) of 3600
> 2d23h: ISAKMP:      encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: transform 3, ESP_3DES
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:      authenticator is HMAC-MD5
> 2d23h: ISAKMP:      SA life type in seconds
> 2d23h: ISAKMP:      SA life duration (basic) of 3600
> 2d23h: ISAKMP:      encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: transform 4, ESP_3DES
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:      authenticator is HMAC-SHA
> 2d23h: ISAKMP:      SA life type in seconds
> 2d23h: ISAKMP:      SA life duration (basic) of 3600
> 2d23h: ISAKMP:      encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: unknown ESP transform!
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:      authenticator is HMAC-MD5
> 2d23h: ISAKMP:      SA life type in seconds
> 2d23h: ISAKMP:      SA life duration (basic) of 3600
> 2d23h: ISAKMP:      encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: unknown ESP transform!
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:      authenticator is HMAC-SHA
> 2d23h: ISAKMP:      SA life type in seconds
> 2d23h: ISAKMP:      SA life duration (basic) of 3600
> 2d23h: ISAKMP:      encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: unknown ESP transform!
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:      key length is 128
> 2d23h: ISAKMP:      authenticator is HMAC-MD5
> 2d23h: ISAKMP:      SA life type in seconds
> 2d23h: ISAKMP:      SA life duration (basic) of 3600
> 2d23h: ISAKMP:      encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: unknown ESP transform!
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:      key length is 128
> 2d23h: ISAKMP:      authenticator is HMAC-SHA
> 2d23h: ISAKMP:      SA life type in seconds
> 2d23h: ISAKMP:      SA life duration (basic) of 3600
> 2d23h: ISAKMP:      encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: unknown ESP transform!
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:      key length is 128
> 2d23h: ISAKMP:      authenticator is HMAC-MD5
> 2d23h: ISAKMP:      SA life type in seconds
> 2d23h: ISAKMP:      SA life duration (basic) of 3600
> 2d23h: ISAKMP:      encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: unknown ESP transform!
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:      key length is 128
> 2d23h: ISAKMP:      authenticator is HMAC-SHA
> 2d23h: ISAKMP:      SA life type in seconds
> 2d23h: ISAKMP:      SA life duration (basic) of 3600
> 2d23h: ISAKMP:      encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): phase 2 SA policy not acceptable! (local 82.x.x.x
> remote 217.x.x.x)
> 2d23h: ISAKMP: set new node 326922217 to QM_IDLE
> 2d23h: ISAKMP:(0:21:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
>         spi 1691668640, message ID = 326922217
> 2d23h: ISAKMP:(0:21:SW:1): sending packet to 217.x.x.x my_port 500 peer_port
> 500 (R) QM_IDLE
> 2d23h: ISAKMP:(0:21:SW:1):purging node 326922217
> 2d23h: ISAKMP:(0:21:SW:1):deleting node -1473959992 error TRUE reason "QM
> rejected"
> 2d23h: ISAKMP (0:134217749): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH:
> for node -1473959992: state = IKE_QM_READY
> 2d23h: ISAKMP:(0:21:SW:1):Node -1473959992, Input = IKE_MESG_FROM_PEER,
> IKE_QM_EXCH
> 2d23h: ISAKMP:(0:21:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_READY
> 2d23h: ISAKMP:(0:22:SW:1):purging node 124919870
> 
> cisco config
> 
> crypto isakmp policy 1
>  encr aes
>  hash md5
>  authentication pre-share
>  group 2
>  lifetime 28800
> crypto isakmp key 123456 address 217.x.x.x no-xauth
> crypto isakmp key 123456 address 85.x.x.x no-xauth
> crypto isakmp aggressive-mode disable
> !
> !
> crypto ipsec transform-set VPN esp-aes
> !
> crypto map xxx 10 ipsec-isakmp
>  set peer 217.x.x.x
>  set transform-set VPN
>  match address 111
> crypto map eon 20 ipsec-isakmp
>  set peer 85.x.x.x
>  set transform-set VPN-EON
>  match address 112
> !
> ----//----
> 
> xxx#sh crypto map tag xxx
> Crypto Map "xxx" 10 ipsec-isakmp
>         Peer = 217.x.x.x
>         Extended IP access list 111
>             access-list 111 permit ip 192.168.200.0 0.0.0.255 192.168.0.0
> 0.0.0.255
>         Current peer: 217.x.x.x
>         Security association lifetime: 4608000 kilobytes/3600 seconds
>         PFS (Y/N): N
>         Transform sets={
>                 VPN,
>         }
> Crypto Map "xxx" 20 ipsec-isakmp
>         Peer = 85.x.x.x
>         Extended IP access list 112
>             access-list 112 permit ip 192.168.200.0 0.0.0.255 192.168.96.0
> 0.0.7.255
>         Current peer: 85.x.x.x
>         Security association lifetime: 4608000 kilobytes/3600 seconds
>         PFS (Y/N): N
>         Transform sets={
>                 VPN,
>         }
>         Interfaces using crypto map xxx:
>                 FastEthernet0/1
> 
> ---//---
> 
> the dlink is a dfl-1600
> 
> any ideas? hammer is not possible because the dlink box is on the other side
> of the ocean :)
> 
> mac
> 2008/12/12 Mario Spinthiras <spinthiras.mario at gmail.com>
> 
>> How about the actual problem so we can help there? Logs , errors?
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From justin at justinshore.com  Fri Dec 12 14:49:43 2008
From: justin at justinshore.com (Justin Shore)
Date: Fri, 12 Dec 2008 13:49:43 -0600
Subject: [c-nsp] suddenly lost telnet connection in switch
In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC019B4@tiger.deltadentalwa.com>
References: <66563.50414.qm@web57411.mail.re1.yahoo.com>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC019B4@tiger.deltadentalwa.com>
Message-ID: <4942C057.1010109@justinshore.com>

To restate what Robert said, pretend that there is an invisible 'deny ip 
any any' at the end of every extended ACL (or 'deny any' for standard 
ACLs).  Anything not explicitly permitted is denied by the invisible 
deny ACE at the end.  Personally I always add my own deny all ACE so I 
have a counter to see that I am rejecting packets.  I can also have it 
log as needed.  As Robert explained, you omitted the permit ACE for 
telnet and so the invisible deny statement came into effect and dropped 
your telnet packets.

Personally I never filter traffic destined to my equipment like that.  I 
rely on the ACL-using abilities of the individual internal processes to 
protect themselves.  For example to restrict VTY access you can use:

line vty 0 15
  access-class 110 in

VTY access-classes can use standard or extended ACLs.

For your web management server explicitly disable the HTTP server and 
then enable the HTTPS server

no ip http server
ip http secure-server
ip http access-class XXX

Note that you must you a standard ACL for filtering connections to the 
web server so you'll need another ACL for your HTTP(S) server.

Ditto for SNMP:

snmp-server community STRING ro XXX

It too requires a standard ACL.

You can also use ACLs to secure other protocols, NTP for example.


Personally I have one ACL for SNMP access (2 ACLs if I have to separate 
read-only and read-write access), another for HTTPS access which I 
rarely enable anyway, another for VTY access, and 1 or 2 for NTP access 
depending on what NTP function the device serves.  You can also filter 
at the control-plane with CoPP but I haven't set it up yet.

Justin


Teller, Robert wrote:
> Try this
>   Extended IP access list 110
>     permit tcp 192.168.0.0 0.255.255.255 [Vlan 1 ip] eq www
>     permit tcp 172.16.0.0 0.255.255.255 [Vlan 1 ip] eq www
>     permit tcp 10.0.0.0 0.255.255.255 [Vlan 1 ip] eq www
>     permit tcp [ip address] [Vlan 1 ip] eq telnet
>     deny tcp any eq www any log
> 
> 
>   Extended IP access list 110
>     permit tcp 192.168.0.0 0.255.255.255 any eq www
>     permit tcp 172.16.0.0 0.255.255.255 any eq www
>     permit tcp 10.0.0.0 0.255.255.255 any eq www
>     deny tcp any eq www any
>     deny tcp any eq www any log [your log is after your www deny so it
> won't log anything]
> 
> You should be using https and ssh instead of http and telnet.
> 
> When using an access-list all traffic is explicitly denied.
> 
> 
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of chloe K
> Sent: Friday, December 12, 2008 11:05 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] suddenly lost telnet connection in switch
> 
> Hi 
>    
>   I am doing the following access-list for www to restrict to switch
> http access
>   but when I apply it in the interface, i suddenly lost telnet
> connection.
>   Why?
>    
>    
>   Extended IP access list 110
>     permit tcp 192.168.0.0 0.255.255.255 any eq www
>     permit tcp 172.16.0.0 0.255.255.255 any eq www
>     permit tcp 10.0.0.0 0.255.255.255 any eq www
>     deny tcp any eq www any
>     deny tcp any eq www any log
>   
> switch(config)#interface VLAN1
>   switch(config-if)#ip access-group 110 in
> switch(config-if)#
> 
> 
>        
> ---------------------------------
> Now with a new friend-happy design! Try the new Yahoo! Canada Messenger
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> #########################################################
> The information contained in this e-mail and subsequent attachments may be privileged, 
> confidential and protected from disclosure.  This transmission is intended for the sole 
> use of the individual and entity to whom it is addressed.  If you are not the intended 
> recipient, any dissemination, distribution or copying is strictly prohibited.  If you 
> think that you have received this message in error, please e-mail the sender at the above 
> e-mail address.
> #########################################################
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From aaron at fabiani.ca  Fri Dec 12 14:29:33 2008
From: aaron at fabiani.ca (Aaron Fabiani)
Date: Fri, 12 Dec 2008 14:29:33 -0500
Subject: [c-nsp] suddenly lost telnet connection in switch
In-Reply-To: <66563.50414.qm@web57411.mail.re1.yahoo.com>
References: <66563.50414.qm@web57411.mail.re1.yahoo.com>
Message-ID: <4942BB9D.1090901@fabiani.ca>

Implicit deny at the end of the ACL...You didn't specifically permit 
telnet access so it is denied.

chloe K wrote:
> Hi 
>    
>   I am doing the following access-list for www to restrict to switch http access
>   but when I apply it in the interface, i suddenly lost telnet connection.
>   Why?
>    
>    
>   Extended IP access list 110
>     permit tcp 192.168.0.0 0.255.255.255 any eq www
>     permit tcp 172.16.0.0 0.255.255.255 any eq www
>     permit tcp 10.0.0.0 0.255.255.255 any eq www
>     deny tcp any eq www any
>     deny tcp any eq www any log
>   
> switch(config)#interface VLAN1
>   switch(config-if)#ip access-group 110 in
> switch(config-if)#
> 
> 
>        
> ---------------------------------
> Now with a new friend-happy design! Try the new Yahoo! Canada Messenger
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From rogelio.gamino at dc.gov  Fri Dec 12 15:56:55 2008
From: rogelio.gamino at dc.gov (Gamino, Rogelio (OCTO-Contractor))
Date: Fri, 12 Dec 2008 15:56:55 -0500
Subject: [c-nsp] IPSec between Cisco and D-Link
In-Reply-To: <4942BC8A.8040106@justinshore.com>
References: <88dfbf880812110713m472d46d2ufae29e265a181a7d@mail.gmail.com>	<4f890e580812111901p475c3975g2cc8152deee48ef1@mail.gmail.com><88dfbf880812120455p2a276a9bve5f0439d47f11680@mail.gmail.com>
	<4942BC8A.8040106@justinshore.com>
Message-ID: <3D0CAA914364E34E9B5D80B53547EE62A3600C@emo-exch2k3-s32.dcgov.priv>

Also, make sure the acl's used to define interesting traffic are
correct.



Rogelio Gamino
rogelio.gamino at dc.gov
(o) 202-741-5853


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore
Sent: Friday, December 12, 2008 2:33 PM
To: twisted mac
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] IPSec between Cisco and D-Link

It looks like you have a phase 2 problem.  Your IPSec transform-set 
isn't matching up with what the D-Link is offering.  Try changing the 
transform-set to something more useful like this:

crypto ipsec transform-set encraes128md5 esp-aes 128 esp-md5-hmac

It would be better if you used AES256.

crypto ipsec transform-set encraes256md5 esp-aes 256 esp-md5-hmac

These are good fallback transform-sets if need be.

crypto ipsec transform-set encr3dessha esp-3des esp-sha-hmac
crypto ipsec transform-set encr3dessha-gre esp-3des esp-sha-hmac


Don't forget to update your crypto maps with the name of the 
transform-set you chose to use.  Also, I would not recommend messing 
with the lifetime values unless the remote end requires it.

Justin



twisted mac wrote:
> Seems fair enough :)
> 
> logs from dlink
> 
>    2008-12-11 17:30:21: IkeSnoop: Received IKE packet from
> 82.x.x.x:500 Exchange
> type : Informational ISAKMP Version : 1.0 Flags : E (encryption)
Cookies :
> 0x458f51017c4a446 -> 0xa582286a38ab6fb0 Message ID : 0x2f8ad085 Packet
> length : 452 bytes # payloads : 2 Payloads: HASH (Hash) Payload data
length
> : 20 bytes N (Notification) Payload data length : 396 bytes Protocol
ID :
> ESP Notification : No proposal chosen
> 
> 
> logs from cisco:
> 
> xxx#debug crypto isakmp
> Crypto ISAKMP debugging is on
> xxx#
> 2d23h: ISAKMP (0:134217749): received packet from 217.x.x.x dport 500
sport
> 500 Global (R) QM_IDLE
> 2d23h: ISAKMP: set new node -1473959992 to QM_IDLE
> 2d23h: ISAKMP:(0:21:SW:1): processing HASH payload. message ID =
-1473959992
> 2d23h: ISAKMP:(0:21:SW:1): processing SA payload. message ID =
-1473959992
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: transform 1, ESP_AES
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:      key length is 128
> 2d23h: ISAKMP:      authenticator is HMAC-MD5
> 2d23h: ISAKMP:      SA life type in seconds
> 2d23h: ISAKMP:      SA life duration (basic) of 3600
> 2d23h: ISAKMP:      encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: transform 2, ESP_AES
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:      key length is 128
> 2d23h: ISAKMP:      authenticator is HMAC-SHA
> 2d23h: ISAKMP:      SA life type in seconds
> 2d23h: ISAKMP:      SA life duration (basic) of 3600
> 2d23h: ISAKMP:      encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: transform 3, ESP_3DES
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:      authenticator is HMAC-MD5
> 2d23h: ISAKMP:      SA life type in seconds
> 2d23h: ISAKMP:      SA life duration (basic) of 3600
> 2d23h: ISAKMP:      encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: transform 4, ESP_3DES
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:      authenticator is HMAC-SHA
> 2d23h: ISAKMP:      SA life type in seconds
> 2d23h: ISAKMP:      SA life duration (basic) of 3600
> 2d23h: ISAKMP:      encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: unknown ESP transform!
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:      authenticator is HMAC-MD5
> 2d23h: ISAKMP:      SA life type in seconds
> 2d23h: ISAKMP:      SA life duration (basic) of 3600
> 2d23h: ISAKMP:      encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: unknown ESP transform!
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:      authenticator is HMAC-SHA
> 2d23h: ISAKMP:      SA life type in seconds
> 2d23h: ISAKMP:      SA life duration (basic) of 3600
> 2d23h: ISAKMP:      encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: unknown ESP transform!
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:      key length is 128
> 2d23h: ISAKMP:      authenticator is HMAC-MD5
> 2d23h: ISAKMP:      SA life type in seconds
> 2d23h: ISAKMP:      SA life duration (basic) of 3600
> 2d23h: ISAKMP:      encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: unknown ESP transform!
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:      key length is 128
> 2d23h: ISAKMP:      authenticator is HMAC-SHA
> 2d23h: ISAKMP:      SA life type in seconds
> 2d23h: ISAKMP:      SA life duration (basic) of 3600
> 2d23h: ISAKMP:      encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: unknown ESP transform!
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:      key length is 128
> 2d23h: ISAKMP:      authenticator is HMAC-MD5
> 2d23h: ISAKMP:      SA life type in seconds
> 2d23h: ISAKMP:      SA life duration (basic) of 3600
> 2d23h: ISAKMP:      encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1):Checking IPSec proposal 1
> 2d23h: ISAKMP: unknown ESP transform!
> 2d23h: ISAKMP:   attributes in transform:
> 2d23h: ISAKMP:      key length is 128
> 2d23h: ISAKMP:      authenticator is HMAC-SHA
> 2d23h: ISAKMP:      SA life type in seconds
> 2d23h: ISAKMP:      SA life duration (basic) of 3600
> 2d23h: ISAKMP:      encaps is 1 (Tunnel)
> 2d23h: ISAKMP:(0:21:SW:1):atts are acceptable.
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): IPSec policy invalidated proposal
> 2d23h: ISAKMP:(0:21:SW:1): phase 2 SA policy not acceptable! (local
82.x.x.x
> remote 217.x.x.x)
> 2d23h: ISAKMP: set new node 326922217 to QM_IDLE
> 2d23h: ISAKMP:(0:21:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol
3
>         spi 1691668640, message ID = 326922217
> 2d23h: ISAKMP:(0:21:SW:1): sending packet to 217.x.x.x my_port 500
peer_port
> 500 (R) QM_IDLE
> 2d23h: ISAKMP:(0:21:SW:1):purging node 326922217
> 2d23h: ISAKMP:(0:21:SW:1):deleting node -1473959992 error TRUE reason
"QM
> rejected"
> 2d23h: ISAKMP (0:134217749): Unknown Input IKE_MESG_FROM_PEER,
IKE_QM_EXCH:
> for node -1473959992: state = IKE_QM_READY
> 2d23h: ISAKMP:(0:21:SW:1):Node -1473959992, Input =
IKE_MESG_FROM_PEER,
> IKE_QM_EXCH
> 2d23h: ISAKMP:(0:21:SW:1):Old State = IKE_QM_READY  New State =
IKE_QM_READY
> 2d23h: ISAKMP:(0:22:SW:1):purging node 124919870
> 
> cisco config
> 
> crypto isakmp policy 1
>  encr aes
>  hash md5
>  authentication pre-share
>  group 2
>  lifetime 28800
> crypto isakmp key 123456 address 217.x.x.x no-xauth
> crypto isakmp key 123456 address 85.x.x.x no-xauth
> crypto isakmp aggressive-mode disable
> !
> !
> crypto ipsec transform-set VPN esp-aes
> !
> crypto map xxx 10 ipsec-isakmp
>  set peer 217.x.x.x
>  set transform-set VPN
>  match address 111
> crypto map eon 20 ipsec-isakmp
>  set peer 85.x.x.x
>  set transform-set VPN-EON
>  match address 112
> !
> ----//----
> 
> xxx#sh crypto map tag xxx
> Crypto Map "xxx" 10 ipsec-isakmp
>         Peer = 217.x.x.x
>         Extended IP access list 111
>             access-list 111 permit ip 192.168.200.0 0.0.0.255
192.168.0.0
> 0.0.0.255
>         Current peer: 217.x.x.x
>         Security association lifetime: 4608000 kilobytes/3600 seconds
>         PFS (Y/N): N
>         Transform sets={
>                 VPN,
>         }
> Crypto Map "xxx" 20 ipsec-isakmp
>         Peer = 85.x.x.x
>         Extended IP access list 112
>             access-list 112 permit ip 192.168.200.0 0.0.0.255
192.168.96.0
> 0.0.7.255
>         Current peer: 85.x.x.x
>         Security association lifetime: 4608000 kilobytes/3600 seconds
>         PFS (Y/N): N
>         Transform sets={
>                 VPN,
>         }
>         Interfaces using crypto map xxx:
>                 FastEthernet0/1
> 
> ---//---
> 
> the dlink is a dfl-1600
> 
> any ideas? hammer is not possible because the dlink box is on the
other side
> of the ocean :)
> 
> mac
> 2008/12/12 Mario Spinthiras <spinthiras.mario at gmail.com>
> 
>> How about the actual problem so we can help there? Logs , errors?
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From spinthiras.mario at gmail.com  Fri Dec 12 16:15:08 2008
From: spinthiras.mario at gmail.com (Mario Spinthiras)
Date: Fri, 12 Dec 2008 23:15:08 +0200
Subject: [c-nsp] IPSec between Cisco and D-Link
In-Reply-To: <3D0CAA914364E34E9B5D80B53547EE62A3600C@emo-exch2k3-s32.dcgov.priv>
References: <88dfbf880812110713m472d46d2ufae29e265a181a7d@mail.gmail.com>
	<4f890e580812111901p475c3975g2cc8152deee48ef1@mail.gmail.com>
	<88dfbf880812120455p2a276a9bve5f0439d47f11680@mail.gmail.com>
	<4942BC8A.8040106@justinshore.com>
	<3D0CAA914364E34E9B5D80B53547EE62A3600C@emo-exch2k3-s32.dcgov.priv>
Message-ID: <4f890e580812121315jbd4f74dj3056ccce71ebe9cb@mail.gmail.com>

I dont think thats the problem. It looks like the transform sets don't
match. Don't forget that ACLs come prior to phase 2.

Regards,
Mario A. Spinthiras
http://www.spinthiras.net/

From spinthiras.mario at gmail.com  Fri Dec 12 16:36:45 2008
From: spinthiras.mario at gmail.com (Mario Spinthiras)
Date: Fri, 12 Dec 2008 23:36:45 +0200
Subject: [c-nsp] ASA 5520 inside interface used for Clients Default
	Gateway
In-Reply-To: <A9604D7A0239984EAD184D9A42206FDE02E708D1@EXCHVS01.cgi.clayton.com>
References: <A9604D7A0239984EAD184D9A42206FDE02E708D1@EXCHVS01.cgi.clayton.com>
Message-ID: <4f890e580812121336v4da79a1bj44ccd3470d28c273@mail.gmail.com>

If you have a default rule for NAT then have you tried adding an
exemption in the NAT list for th eparticular network?

Can you give me more of an insight on the network , addressing ,
interfaces , routes and security rules?



Regards,
Mario A. Spinthiras
http://www.spinthiras.net/

From tvarriale at comcast.net  Fri Dec 12 16:59:55 2008
From: tvarriale at comcast.net (Tony Varriale)
Date: Fri, 12 Dec 2008 15:59:55 -0600
Subject: [c-nsp] IPSec between Cisco and D-Link
References: <88dfbf880812110713m472d46d2ufae29e265a181a7d@mail.gmail.com><4f890e580812111901p475c3975g2cc8152deee48ef1@mail.gmail.com><88dfbf880812120455p2a276a9bve5f0439d47f11680@mail.gmail.com><4942BC8A.8040106@justinshore.com><3D0CAA914364E34E9B5D80B53547EE62A3600C@emo-exch2k3-s32.dcgov.priv>
	<4f890e580812121315jbd4f74dj3056ccce71ebe9cb@mail.gmail.com>
Message-ID: <677E922E16B0429589BE0ED3E01AD418@flamdt1>

The transforms are fine and the debug says so.

The ACL/proxy setup is failing.

> 2d23h: ISAKMP (0:134217749): received packet from 217.x.x.x dport 500
sport
> 2d23h: ISAKMP:(0:21:SW:1): phase 2 SA policy not acceptable! (local
82.x.x.x
> remote 217.x.x.x)

> xxx#sh crypto map tag xxx
> Crypto Map "xxx" 10 ipsec-isakmp
>         Peer = 217.x.x.x
>         Extended IP access list 111
>             access-list 111 permit ip 192.168.200.0 0.0.0.255
>192.168.0.0 0.0.0.255

Obviously 82.x and 217.x aren't the same as 192.168.200.0/24 and 
192.168.0.0/24

tv


----- Original Message ----- 
From: "Mario Spinthiras" <spinthiras.mario at gmail.com>
To: "Gamino, Rogelio (OCTO-Contractor)" <rogelio.gamino at dc.gov>
Cc: <cisco-nsp at puck.nether.net>; "twisted mac" <twist3dmac at gmail.com>
Sent: Friday, December 12, 2008 3:15 PM
Subject: Re: [c-nsp] IPSec between Cisco and D-Link


>I dont think thats the problem. It looks like the transform sets don't
> match. Don't forget that ACLs come prior to phase 2.
>
> Regards,
> Mario A. Spinthiras
> http://www.spinthiras.net/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From SIngram at clayton.com  Fri Dec 12 17:05:25 2008
From: SIngram at clayton.com (Scott Ingram)
Date: Fri, 12 Dec 2008 17:05:25 -0500
Subject: [c-nsp] ASA 5520 inside interface used for Clients Default
	Gateway
References: <A9604D7A0239984EAD184D9A42206FDE02E708D1@EXCHVS01.cgi.clayton.com>
	<4f890e580812121336v4da79a1bj44ccd3470d28c273@mail.gmail.com>
Message-ID: <A9604D7A0239984EAD184D9A42206FDE02E708D7@EXCHVS01.cgi.clayton.com>

I figured it out..
 
example:   
access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.252.0 172.16.4.0 255.255.252.0 
nat (inside) 0 access-list inside_nat0_outbound

Scott Ingram
Manager, IT Operations
Clayton
2 Corporate Drive
Shelton, CT 06484
work: 203.926.8148
cell: 203.258.2037
singram at clayton.com <mailto:singram at clayton.com> 
www.clayton.com <http://www.clayton.com/> 

________________________________

From: Mario Spinthiras [mailto:spinthiras.mario at gmail.com]
Sent: Fri 12/12/2008 4:36 PM
To: Scott Ingram
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA 5520 inside interface used for Clients Default Gateway



If you have a default rule for NAT then have you tried adding an
exemption in the NAT list for th eparticular network?

Can you give me more of an insight on the network , addressing ,
interfaces , routes and security rules?



Regards,
Mario A. Spinthiras
http://www.spinthiras.net/



IMPORTANT NOTICE:

This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law.  If you have received this message in error, you are hereby notified that we do not consent to any reading, dissemination, distribution or copying of this message.  If you have received this communication in error, please notify the sender immediately and destroy the transmitted information.


From cisco-nsp at itpro.co.nz  Fri Dec 12 20:59:58 2008
From: cisco-nsp at itpro.co.nz (Ivan)
Date: Sat, 13 Dec 2008 14:59:58 +1300
Subject: [c-nsp] Shaping
Message-ID: <4943171E.3040404@itpro.co.nz>

1. When shaping using MQC on a interface that also passes VoIP traffic 
(priority queuing of voice traffic via child policy) what are the pros 
and cons of using a Tc of 4ms (minimum possible as far as I understand) 
compared with a Tc of 10ms (Cisco recommended value for voice in some 
documents I have seen).  For example the impact on CPU or possible delay.

2. If shaping is configured as follows how are packets larger than Bc 
accommodated?  (no interleaving configured).

CIR = 1000000bps
Bc = 4000bits (500bytes)
Be = 0
Tc = 4ms

3. Again with the above shaping configuration, if only packets of size 
400bytes were sent does that mean it will never be possible to utilise 
the full 1000000bps but rather only 400/500 * 1000000 = 800000bps?

4. Using IOS 12.4.13b it was possible to see the stats for delayed 
packets and other values such as Tc.

router#show policy-map interface gi0/0
 GigabitEthernet0/0

  Service-policy output: SHAPE

    Class-map: class-default (match-any)
      7522946 packets, 1961480754 bytes
      30 second offered rate 66000 bps, drop rate 0 bps
      Match: any
      Traffic Shaping
           Target/Average   Byte   Sustain   Excess    Interval  Increment
             Rate           Limit  bits/int  bits/int  (ms)      (bytes) 
          5000000/5000000   6250   50000     0         10        6250    

        Adapt  Queue     Packets   Bytes     Packets   Bytes     Shaping
        Active Depth                         Delayed   Delayed   Active
        -      0         7518711   1956530048 118002    129484844 no

I can't seem to get the same stats from 12.4.22T

router#show policy-map interface fa0/0 output
 FastEthernet0/0

  Service-policy output: SHAPE

    Class-map: class-default (match-any)
      13 packets, 2184 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: any
      Queueing
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 13/2366
      shape (average) cir 3000000, bc 12000, be 12000
      target shape rate 3000000

Any ideas?

Thanks

Ivan

From nic.tjirkalli at za.verizonbusiness.com  Sat Dec 13 00:52:02 2008
From: nic.tjirkalli at za.verizonbusiness.com (Nic Tjirkalli)
Date: Sat, 13 Dec 2008 07:52:02 +0200 (SAST)
Subject: [c-nsp] ip rib update process hogging CPU on 12.4.7d
In-Reply-To: <Pine.LNX.4.64.0806020901340.20678@duffus.ops.uunet.co.za>
References: <Pine.LNX.4.64.0806020901340.20678@duffus.ops.uunet.co.za>
Message-ID: <Pine.LNX.4.64.0812130750370.30312@duffus.ops.uunet.co.za>

howdy ho,

Moving to IOS version 12.4(21) eliminates this rib update CPOU hog and
amazingly the router has more free memory - even with more routes in the
BGP table

later


>
> howdy ho,
>
> Over the last few days, we have noticed that the IP RIB Update is
> consuming a large amount of CPU cycles on 2 CISCO 7500 routers running 
> 12.4.7d.
>
> We have several other CISCO 7500 routers taht receieve the same amount of
> BGP updates as the 2 with issues, but these routers are runninga  variety
> of 12.3 images and appear to be happy - no CPU hog caused by IP RIB Update
> process. All the 7500s are receieving a full BGP table.
>
> CISCO bug tnavigator has no mention of an IP RIB Update bug in 12.4
> images.
>
> was wondering if anybody else had observed similar behaviour.
>
> thanx for your time and any feedback.
>
>
>
> ---------------------------------------------------------------------
> Alas poor Tagline! I knew it well...
>
> Nic Tjirkalli
> Verizon Business South Africa
> Network Strategy Team
>
> Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail
> is strictly confidential and intended only for use by the addressee unless
> otherwise indicated.
>
> Company Information:http:// www.verizonbusiness.com/za/contact/legal/
>
> This e-mail is strictly confidential and intended only for use by the
> addressee unless otherwise indicated.
>
>


---------------------------------------------------------------------
There are no facts, only opinions.

Nic Tjirkalli
Verizon Business South Africa
Network Strategy Team

Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail
is strictly confidential and intended only for use by the addressee unless
otherwise indicated.

Company Information : http://www.verizonbusiness.com/za/contact/legal/

This e-mail is strictly confidential and intended only for use by the
addressee unless otherwise indicated.


From peter at rathlev.dk  Sun Dec 14 15:33:17 2008
From: peter at rathlev.dk (Peter Rathlev)
Date: Sun, 14 Dec 2008 21:33:17 +0100
Subject: [c-nsp] Combining multiple vlans into a single vlan.
In-Reply-To: <BCD3E762F1767C42A5226BBACDE49BFB6FCCE5@loki.acs.local>
References: <BCD3E762F1767C42A5226BBACDE49BFBB2BD14@loki.acs.local>
	<1228786530.3953.2.camel@localhost.localdomain>
	<BCD3E762F1767C42A5226BBACDE49BFB6FCCE5@loki.acs.local>
Message-ID: <1229286797.10792.89.camel@localhost.localdomain>

On Mon, 2008-12-08 at 20:40 -0500, Jeff Cartier wrote:
> Could this be accomplished using a ME3750, using BVI's? and if yes,
> any configuration examples?
>
> A co-worker said he tried this and couldn't make it work...

BVIs probably only work on "real routers". With the L3 switches you
would need a physical loop cable. (The BVI is the L3 interface by the
way, so just short circuiting the VLANs is just a "bridge-group".)

I'm not adequately familiar with the ME3750, but I guess it can't do
brige-groups. On a device that could, you would do something like this:

! *** On some router ***
bridge irb
!
interface GigabitEthernet0/0/1.630
 encapsulation dot1q 630
 bridge-group 5
!
interface GigabitEthernet0/0/1.631
 encapsulation dot1q 631
 bridge-group 5
!
interface BVI5
 description Optional, only when L3 termination is needed
 ip address 10.0.0.1 255.255.255.0
!
bridge 5 protocol ieee
!

Still, combining different VLANs this way could lead to lots of
problems, a.o. short circuiting spanning trees.

Regards,
Peter



From caojingnju at gmail.com  Mon Dec 15 00:35:59 2008
From: caojingnju at gmail.com (Jim Cao)
Date: Mon, 15 Dec 2008 13:35:59 +0800
Subject: [c-nsp] The problem of Bridge MIB on Cisco2924
Message-ID: <00bc01c95e77$049347d0$0db9d770$@com>

Hello, everyone:

I'm using Bridge MIB to get the MAC-Port mapping in my switch (Catalyst
2900xl, IOS 12.0(5.1)XP ). I use
mgmt.mib-2.dot1dBridge.dot1dTp.dot1dTpFdbTable (1.3.6.1.2.1.17.4.3.1) to get
such mapping. The problem is I can only get the mapping from the default
vlan (vlan1). I used "show mac" in the command line and found there're
mappings in other vlans.  I tried to use community indexing as "snmpwalk -v
2c -c public at 3 192.168.49.2 .1.3.6.1.2.1.17.4.3.1", where public at 3 eans
vlan3 and 192.168.49.2 is the switch's management IP. But it always replies
"Timeout: No response from 192.168.49.2". Even I use the same command with
indexing to vlan1, the same reply.

 

I searched in the web and found some people met such problem before, but I
cannot search a solution. Does anybody here met such problem and any
solutions for it? Thanks a lot!

 

BRs

Jim


From zardoz at hotblack.net  Mon Dec 15 00:27:06 2008
From: zardoz at hotblack.net (Tristan Gulyas)
Date: Mon, 15 Dec 2008 16:27:06 +1100
Subject: [c-nsp] Cat6500 sup2 boot from PCMCIA
References: <EB9C8DD013C59D47BEEEC1A1DD7AC951858ED2366A@exlpz.alphasys.bo>
Message-ID: <7B61E18A0A544076827F4EAF49A554E1@moscato>

Hi,

This is a known problem.  I'm getting this issue with some 64MB generic ATA 
flash cards on the supervisor 2 modules as well. Cisco say it's due to a 
timing incompatibility and their solution is to replace the card...

I find this is an intermittent issue.  If you keep trying to boot (try a few 
resets as well), it eventually boots (for me, at least) however this isn't 
ideal for production.

See http://www.cisco.com/en/US/ts/fn/620/fn62466.html

Tristan

----- Original Message ----- 
From: "David Lima" <David.Lima at alphasys.com.bo>
To: <cisco-nsp at puck.nether.net>
Sent: Saturday, December 13, 2008 6:25 AM
Subject: Re: [c-nsp] Cat6500 sup2 boot from PCMCIA




-----Mensaje original-----
De: David Lima
Enviado el: Viernes, 12 de Diciembre de 2008 03:09 p.m.
Para: 'Church, Charles'
Asunto: RE: [c-nsp] Cat6500 sup2 boot from PCMCIA

Hi Charles, these cards was working on cisco 7200 routers. Just I think that 
I can load a new image in one of these cards and boot from the rommon mode.
I can see both slots: slot0 and disk0 but I can't see the stored IOS because 
the invalid magic number error.

Thanks again
David


-----Mensaje original-----
De: Church, Charles [mailto:cchurc05 at harris.com]
Enviado el: Viernes, 12 de Diciembre de 2008 02:03 p.m.
Para: David Lima
Asunto: RE: [c-nsp] Cat6500 sup2 boot from PCMCIA

Have those cards ever worked in that device?  Can you do a 'dev' in ROMMON, 
and see 'slot0' or 'disk0' listed?  Can you do a 'dir' on that device 
listed?  I don't recognize that as a normal size flash card for a Sup2.

Chuck

-----Original Message-----
From: David Lima [mailto:David.Lima at alphasys.com.bo]
Sent: Friday, December 12, 2008 1:58 PM
To: Church, Charles
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Cat6500 sup2 boot from PCMCIA


Hi Charles, I really appreciate your time.
I Have two PCMCIA cards:

        - ATA FLASH Card Viking 48MB
        - ATA FLASH Card SanDisk 48MB

Thanks again.
David

-----Mensaje original-----
De: Church, Charles [mailto:cchurc05 at harris.com]
Enviado el: Viernes, 12 de Diciembre de 2008 01:54 p.m.
Para: David Lima
CC: cisco-nsp at puck.nether.net
Asunto: RE: [c-nsp] Cat6500 sup2 boot from PCMCIA

Is it a 64MB card?  If so, use 'disk0' in place of 'slot0'.


Chuck Church
Principal Network Engineer, CCIE #8776
Harris Information Technology Services
EDS Contractor - Navy Marine Corps Intranet (NMCI)
1210 N. Parker Rd. | Greenville, SC 29609
Office: 864-335-9473 | Cell: 864-266-3978


-----Original Message-----
From: David Lima [mailto:David.Lima at alphasys.com.bo]
Sent: Friday, December 12, 2008 1:47 PM
To: Church, Charles
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Cat6500 sup2 boot from PCMCIA


Thanks a lot Charles for your response. I tried your suggestion but when I 
boot from my slot0:IOS_IMAGE I have a bad file magic number error.
Do I missing anything in the Rommon configuration?
        Rommon>boot slot0:IOS_IMAGE
Thanks again Charles.
David.


-----Mensaje original-----
De: Church, Charles [mailto:cchurc05 at harris.com]
Enviado el: Viernes, 12 de Diciembre de 2008 01:40 p.m.
Para: David Lima
CC: cisco-nsp at puck.nether.net
Asunto: RE: [c-nsp] Cat6500 sup2 boot from PCMCIA

I think you can format the card (if it's the 64MB ATA card) in a PC running 
Windows, use FAT16 filesystem.  Copy the image to the card, and try to boot 
it from ROMMON.  Once running, you'll need to format the card in IOS (so the 
MONLIB (kind of like a boot sector) is put on there).  Then you can use 
Windows to copy the file again to the card (but don't format it again, 
obviously).  Then I think it should auto-boot.  If it's less than 64MB, I 
don't think Windows can recognize it as a disk drive without special 
drivers, which may or may not exist.  Make sure your ROMMON version is 
7.1(1) if it is a 64MB card, can't recognize it without.

Chuck

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net 
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Lima
Sent: Friday, December 12, 2008 1:08 PM
To: Scott McGrath; Teller, Robert
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cat6500 sup2 boot from PCMCIA


Hi again, just one question. Is there a way to format the PCMCIA card from 
another device (A router or a PC). It because I don't have any othr 
supervisor2 to do this. It could be compatible?
Thanks for any suggesti?n.

David


-----Mensaje original-----
De: Scott McGrath [mailto:mcgrath at fas.harvard.edu]
Enviado el: Viernes, 12 de Diciembre de 2008 11:16 a.m.
Para: Teller, Robert
CC: David Lima; cisco-nsp at puck.nether.net
Asunto: Re: [c-nsp] Cat6500 sup2 boot from PCMCIA

You can boot a sup2 from TFTP in ROMMON

Teller, Robert wrote:
> I ran into a similar problem and had to RMA a new sup/cf card from
> cisco.
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Lima
> Sent: Friday, December 12, 2008 7:41 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cat6500 sup2 boot from PCMCIA
>
> Hi all, I have a Cat6500 x6k-sup2-2ge running an IOS software.
>
> My problem is that I'm stuck in rommon mode after the IOS upgrade. Now I
> have A PCMCIA and I want to boot the new IOS from the PCMCIA.
>
> I cannot format the PCMCIA from the rommon mode.
>
> How can I format the PCMCIA? The only way is format from the target
> Catatalyst switch?
>
> All these because I have an error about invalid magic number when I
> insert the PCMCIA card into the Supervisor2 slot in rommon mode.
>
> Please I need your help,
>
> Thanks in advance.
>
> David
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> #########################################################
> The information contained in this e-mail and subsequent attachments may be 
> privileged,
> confidential and protected from disclosure.  This transmission is intended 
> for the sole
> use of the individual and entity to whom it is addressed.  If you are not 
> the intended
> recipient, any dissemination, distribution or copying is strictly 
> prohibited.  If you
> think that you have received this message in error, please e-mail the 
> sender at the above
> e-mail address.
> #########################################################
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>




__________ Information from ESET NOD32 Antivirus, version of virus signature 
database 3684 (20081211) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



__________ Information from ESET NOD32 Antivirus, version of virus signature 
database 3684 (20081211) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



__________ Information from ESET NOD32 Antivirus, version of virus signature 
database 3684 (20081211) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



__________ Information from ESET NOD32 Antivirus, version of virus signature 
database 3684 (20081211) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com





__________ Information from ESET NOD32 Antivirus, version of virus signature 
database 3684 (20081211) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com




_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From Mark at u.tv  Mon Dec 15 05:50:09 2008
From: Mark at u.tv (Mark Tohill)
Date: Mon, 15 Dec 2008 10:50:09 -0000
Subject: [c-nsp] IP SLA logging....
Message-ID: <658F94741F4A8A4F94171E37E417488B0272DA90@UTVEXCHANGE.utv.local>


Hi,

Does anyone know how I can generate as syslog message (either locally or
sent to a syslog server) as opposed to a trap?

I have the following configuration, running 124-16a Enterprise Base on
3725 router.

!
!
logging buffered 16384 debugging
!
ip sla monitor logging traps
ip sla monitor 2
type jitter dest-ipaddr WWW.XXX.YYY.ZZZ dest-port 5000 num-packets 20
interval 10
 request-data-size 160
ip sla monitor reaction-configuration 2 react packetLossSD
threshold-type immediate action-type trapOnly
!
!
logging trap debugging
logging AAA.BBB.CCC.DDD
!
!


Thanks,
Mark


Mark Tohill
UTV Internet
T:+44 (0)28 90 262196
M:+44 (0)7786 278716
E:mark at u.tv

From paul at paulstewart.org  Mon Dec 15 06:58:18 2008
From: paul at paulstewart.org (Paul Stewart)
Date: Mon, 15 Dec 2008 06:58:18 -0500
Subject: [c-nsp] 7600 Sup720 IOS Image
Message-ID: <000001c95eac$72020290$560607b0$@org>

Hi there..

 

We have a 7606 that's been running for 30 weeks now with no problems.
Starting a few days ago, we'd had two incidents where a supervisor card has
reloaded.  With SSO redundancy mode in place, the impact hasn't been too
major but definitely enough to get our attention ;(  The chassis has a pair
of sup720-3BXL's in place so with two switchovers now in place, it's back to
running on the same sup card it was when this started.

 

I have my doubts about sudden hardware failures - thinking more of a
software related issue??

 

Current image is 12.2(33)SRC Advanced Enterprise and I'm considering
upgrading to 12.2(33)SRD Advanced Enterprise and looking for feedback..

 

Thanks in advance,

 

Paul

 


From dmitry at dmitry.net  Mon Dec 15 08:20:07 2008
From: dmitry at dmitry.net (Dmitry Kiselev)
Date: Mon, 15 Dec 2008 15:20:07 +0200
Subject: [c-nsp] 12.2(33)SRC2 running 7600
In-Reply-To: <20081210204203.GA25986@mx.ytti.net>
References: <d9ae95f60812100353p5596d425h965a0a8cb0fe1e7c@mail.gmail.com>
	<20081210204203.GA25986@mx.ytti.net>
Message-ID: <20081215132007.GE4922@f17.dmitry.net>

Hello!

On Wed, Dec 10, 2008 at 10:42:03PM +0200, Saku Ytti wrote:

> > does someone have any notes of open bugs on 7600 RSP720-3CXL-GE  runs
> > 12.2(33)SRC2 ,
> 
> I suspect BGP ghosting issue in SRC2. I'm fairly certain at least that in
> VPNv4 RR functionality there is such. (RR thinks it has sent update,
> while it has not).


Several times I was seen similar problem on my 7600s/SRC2 on couple of
eBGP sessions: guys from remote site reports no prefixes, but my router
think prefixes are sent. AFAIR, hard session reset solve the problem.


-- 
Dmitry Kiselev

From lists at memetic.org  Mon Dec 15 09:32:30 2008
From: lists at memetic.org (Adam Armstrong)
Date: Mon, 15 Dec 2008 14:32:30 +0000
Subject: [c-nsp] 7600 Sup720 IOS Image
In-Reply-To: <000001c95eac$72020290$560607b0$@org>
References: <000001c95eac$72020290$560607b0$@org>
Message-ID: <49466A7E.7030503@memetic.org>

Paul Stewart wrote:
> Hi there..
>
>  
>
> We have a 7606 that's been running for 30 weeks now with no problems.
> Starting a few days ago, we'd had two incidents where a supervisor card has
> reloaded.  With SSO redundancy mode in place, the impact hasn't been too
> major but definitely enough to get our attention ;(  The chassis has a pair
> of sup720-3BXL's in place so with two switchovers now in place, it's back to
> running on the same sup card it was when this started.
>
>  
>
> I have my doubts about sudden hardware failures - thinking more of a
> software related issue??
>
>  
>
> Current image is 12.2(33)SRC Advanced Enterprise and I'm considering
> upgrading to 12.2(33)SRD Advanced Enterprise and looking for feedback..
We get a lot of random reboots with SRD. I believe it's either related 
to our SIP/SPAs or MST.

The device I've downgraded to SRC2 is behaving much better.

adam.

From twist3dmac at gmail.com  Mon Dec 15 10:48:48 2008
From: twist3dmac at gmail.com (twisted mac)
Date: Mon, 15 Dec 2008 15:48:48 +0000
Subject: [c-nsp] IPSec between Cisco and D-Link
In-Reply-To: <677E922E16B0429589BE0ED3E01AD418@flamdt1>
References: <88dfbf880812110713m472d46d2ufae29e265a181a7d@mail.gmail.com>
	<4f890e580812111901p475c3975g2cc8152deee48ef1@mail.gmail.com>
	<88dfbf880812120455p2a276a9bve5f0439d47f11680@mail.gmail.com>
	<4942BC8A.8040106@justinshore.com>
	<3D0CAA914364E34E9B5D80B53547EE62A3600C@emo-exch2k3-s32.dcgov.priv>
	<4f890e580812121315jbd4f74dj3056ccce71ebe9cb@mail.gmail.com>
	<677E922E16B0429589BE0ED3E01AD418@flamdt1>
Message-ID: <88dfbf880812150748u458459d2nc4dc3c5b33c9e783@mail.gmail.com>

there are 2 peers (217.x.x.x  and 85.x.x.x)

and 2 matching acls (111 - 192.168.0.0/24 and 112-192.168.96.0/21)

why do u say

"Obviously 82.x and 217.x aren't the same as 192.168.200.0/24 and
192.168.0.0/24 "

can u explain?

2008/12/12 Tony Varriale <tvarriale at comcast.net>

> The transforms are fine and the debug says so.
>
> The ACL/proxy setup is failing.
>
> 2d23h: ISAKMP (0:134217749): received packet from 217.x.x.x dport 500
>>
> sport
>
>> 2d23h: ISAKMP:(0:21:SW:1): phase 2 SA policy not acceptable! (local
>>
> 82.x.x.x
>
>> remote 217.x.x.x)
>>
>
>  xxx#sh crypto map tag xxx
>> Crypto Map "xxx" 10 ipsec-isakmp
>>        Peer = 217.x.x.x
>>        Extended IP access list 111
>>            access-list 111 permit ip 192.168.200.0 0.0.0.255
>> 192.168.0.0 0.0.0.255
>>
>
> Obviously 82.x and 217.x aren't the same as 192.168.200.0/24 and
> 192.168.0.0/24
>
> tv
>
>
> ----- Original Message ----- From: "Mario Spinthiras" <
> spinthiras.mario at gmail.com>
> To: "Gamino, Rogelio (OCTO-Contractor)" <rogelio.gamino at dc.gov>
> Cc: <cisco-nsp at puck.nether.net>; "twisted mac" <twist3dmac at gmail.com>
> Sent: Friday, December 12, 2008 3:15 PM
> Subject: Re: [c-nsp] IPSec between Cisco and D-Link
>
>
>   I dont think thats the problem. It looks like the transform sets don't
>> match. Don't forget that ACLs come prior to phase 2.
>>
>> Regards,
>> Mario A. Spinthiras
>> http://www.spinthiras.net/
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>

From jcartier at acs.on.ca  Mon Dec 15 10:56:59 2008
From: jcartier at acs.on.ca (Jeff Cartier)
Date: Mon, 15 Dec 2008 10:56:59 -0500
Subject: [c-nsp] Priority-queue & srr-queue question
Message-ID: <BCD3E762F1767C42A5226BBACDE49BFBB2C161@loki.acs.local>

I have a switch configured for deployment and I've used the same base
configuration on all of the ports.  The switch is due to support Voice
traffic, but not on every switchport.  

 

srr-queue bandwidth share 1 70 25 5

 srr-queue bandwidth shape  3  0  0  0

 priority-queue out

 

My question is this...

 

Being that voice is not being passed on all the switchports (ie. Only
three ports on this switch have IP Phones off it), will the above
commands impact traffic negatively on the ports that are not having
voice traffic passed through them?  

 

I don't believe it would, but I'm curious to hear best-practice.


From markom at markom.info  Mon Dec 15 11:03:41 2008
From: markom at markom.info (Marko Milivojevic)
Date: Mon, 15 Dec 2008 16:03:41 +0000
Subject: [c-nsp] Trace Logs on ASR1000
Message-ID: <d163b99c0812150803g511f15c3kac8754fee88905e@mail.gmail.com>

Has anyone found a "scalable"* way to disable trace logging to hard disk on
ASR1000? Our RANCID is not very happy with constant changes on the hard
disk...

* Scalable = one that doesn't require at least 20 commands that may or may
not survive reload, as they are exec-level statements.

--
Marko
CCIE #18427 (SP)
My network blog: http://cisco.markom.info/

From RTeller at deltadentalwa.com  Mon Dec 15 12:52:27 2008
From: RTeller at deltadentalwa.com (Teller, Robert)
Date: Mon, 15 Dec 2008 09:52:27 -0800
Subject: [c-nsp] Combining multiple vlans into a single vlan.
In-Reply-To: <1229286797.10792.89.camel@localhost.localdomain>
References: <BCD3E762F1767C42A5226BBACDE49BFBB2BD14@loki.acs.local>
	<1228786530.3953.2.camel@localhost.localdomain>
	<BCD3E762F1767C42A5226BBACDE49BFB6FCCE5@loki.acs.local>
	<1229286797.10792.89.camel@localhost.localdomain>
Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC019D8@tiger.deltadentalwa.com>

Could you also use private vlans?

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Rathlev
Sent: Sunday, December 14, 2008 12:33 PM
To: Jeff Cartier
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Combining multiple vlans into a single vlan.

On Mon, 2008-12-08 at 20:40 -0500, Jeff Cartier wrote:
> Could this be accomplished using a ME3750, using BVI's? and if yes,
> any configuration examples?
>
> A co-worker said he tried this and couldn't make it work...

BVIs probably only work on "real routers". With the L3 switches you
would need a physical loop cable. (The BVI is the L3 interface by the
way, so just short circuiting the VLANs is just a "bridge-group".)

I'm not adequately familiar with the ME3750, but I guess it can't do
brige-groups. On a device that could, you would do something like this:

! *** On some router ***
bridge irb
!
interface GigabitEthernet0/0/1.630
 encapsulation dot1q 630
 bridge-group 5
!
interface GigabitEthernet0/0/1.631
 encapsulation dot1q 631
 bridge-group 5
!
interface BVI5
 description Optional, only when L3 termination is needed
 ip address 10.0.0.1 255.255.255.0
!
bridge 5 protocol ieee
!

Still, combining different VLANs this way could lead to lots of
problems, a.o. short circuiting spanning trees.

Regards,
Peter


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


#########################################################
The information contained in this e-mail and subsequent attachments may be privileged, 
confidential and protected from disclosure.  This transmission is intended for the sole 
use of the individual and entity to whom it is addressed.  If you are not the intended 
recipient, any dissemination, distribution or copying is strictly prohibited.  If you 
think that you have received this message in error, please e-mail the sender at the above 
e-mail address.
#########################################################


From aluisios at ctbc.com.br  Mon Dec 15 14:01:20 2008
From: aluisios at ctbc.com.br (aluisios at ctbc.com.br)
Date: Mon, 15 Dec 2008 16:01:20 -0300
Subject: [c-nsp] =?iso-8859-1?q?Aluisio_da_Silva/CTBC_Telecom/BR_est=E1_au?=
 =?iso-8859-1?q?sente_do_escrit=F3rio=2E?=
Message-ID: <OFA817347E.105B583F-ON03257520.00687E0F-03257520.00687E0F@ctbc.com.br>

Estarei ausente do escrit?rio a partir de Qui, 04/12/2008 e n?o retornarei
antes de Seg, 05/01/2009.

Responderei ? Sua Mensagem Quando Retornar.



From chris.flav at yahoo.ca  Mon Dec 15 13:05:26 2008
From: chris.flav at yahoo.ca (Chris Flav)
Date: Mon, 15 Dec 2008 10:05:26 -0800 (PST)
Subject: [c-nsp] IOS for 7204VXR-G1 + MPF
Message-ID: <225631.45874.qm@web111115.mail.gq1.yahoo.com>

Hi all, 

we currently utilize Cisco 7204VXR routers for PPPoE aggregation and are interested in testing the MPF feature.

http://www.cisco.com/en/US/partner/docs/ios/12_3/12_3y/12_3ya8/MPF123YM.html

A little while ago we tested c7200-i12s-mz.123-14.YM12.bin and had to do an emergency rollback since RADIUS profiles that utilized Framed-Route such as:

Framed-Address = 10.131.131.96,
Framed-Route = "72.131.131.96/29 0.0.0.0 1",

would not route correctly the netblock in question.  Sessions would come up however the routes were not correctly utilized by traffic flows.

Therefore, are any utilizing MPF successfully, and as well, what is the recommended IOS for the 7204VXR+NPE-G1 platform for PPPoE termination over L2TP?   What are IOS recommendations for this application and platform?  We currently handle approximately 2500 PPPoE users per box.

Thanks in advance,

C. Flav


      __________________________________________________________________
Looking for the perfect gift? Give the gift of Flickr! 

http://www.flickr.com/gift/

From rodunn at cisco.com  Mon Dec 15 14:53:15 2008
From: rodunn at cisco.com (Rodney Dunn)
Date: Mon, 15 Dec 2008 14:53:15 -0500
Subject: [c-nsp] IOS for 7204VXR-G1 + MPF
In-Reply-To: <225631.45874.qm@web111115.mail.gq1.yahoo.com>
References: <225631.45874.qm@web111115.mail.gq1.yahoo.com>
Message-ID: <20081215195315.GE5403@rtp-cse-489.cisco.com>

IIRC you had to buy a license to run it and I think we stopped 
selling them and taking a faster CPU path route along with
hardware forwarding (ASR1000 for example).

Generally, I don't think it's recommended because so many features
were not supported with it.

Rodney

On Mon, Dec 15, 2008 at 10:05:26AM -0800, Chris Flav wrote:
> Hi all, 
> 
> we currently utilize Cisco 7204VXR routers for PPPoE aggregation and are interested in testing the MPF feature.
> 
> http://www.cisco.com/en/US/partner/docs/ios/12_3/12_3y/12_3ya8/MPF123YM.html
> 
> A little while ago we tested c7200-i12s-mz.123-14.YM12.bin and had to do an emergency rollback since RADIUS profiles that utilized Framed-Route such as:
> 
> Framed-Address = 10.131.131.96,
> Framed-Route = "72.131.131.96/29 0.0.0.0 1",
> 
> would not route correctly the netblock in question.  Sessions would come up however the routes were not correctly utilized by traffic flows.
> 
> Therefore, are any utilizing MPF successfully, and as well, what is the recommended IOS for the 7204VXR+NPE-G1 platform for PPPoE termination over L2TP?   What are IOS recommendations for this application and platform?  We currently handle approximately 2500 PPPoE users per box.
> 
> Thanks in advance,
> 
> C. Flav
> 
> 
>       __________________________________________________________________
> Looking for the perfect gift? Give the gift of Flickr! 
> 
> http://www.flickr.com/gift/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From decklandv at gmail.com  Mon Dec 15 16:40:49 2008
From: decklandv at gmail.com (Rado Vasilev)
Date: Mon, 15 Dec 2008 21:40:49 +0000
Subject: [c-nsp] IOS for 7204VXR-G1 + MPF
In-Reply-To: <20081215195315.GE5403@rtp-cse-489.cisco.com>
References: <225631.45874.qm@web111115.mail.gq1.yahoo.com>
	<20081215195315.GE5403@rtp-cse-489.cisco.com>
Message-ID: <80B3E476-F7EE-412A-AEE6-E07D7376B123@gmail.com>

Hi Rodney,

I was wondering the last few days what would be the ideal Cisco  
platform for higher performance VPDN?
Currently I'm using 7301/7200-NPE-G2 routers and don't like the idea  
of splitting the load to more and more LNS/LAC devices.
Would the future proof platform with HW capabilities be the ASR1000 or  
something else?


Regards,
Rado



On 15 Dec 2008, at 19:53, Rodney Dunn wrote:

> IIRC you had to buy a license to run it and I think we stopped
> selling them and taking a faster CPU path route along with
> hardware forwarding (ASR1000 for example).
>
> Generally, I don't think it's recommended because so many features
> were not supported with it.
>
> Rodney
>
> On Mon, Dec 15, 2008 at 10:05:26AM -0800, Chris Flav wrote:
>> Hi all,
>>
>> we currently utilize Cisco 7204VXR routers for PPPoE aggregation  
>> and are interested in testing the MPF feature.
>>
>> http://www.cisco.com/en/US/partner/docs/ios/12_3/12_3y/12_3ya8/MPF123YM.html
>>
>> A little while ago we tested c7200-i12s-mz.123-14.YM12.bin and had  
>> to do an emergency rollback since RADIUS profiles that utilized  
>> Framed-Route such as:
>>
>> Framed-Address = 10.131.131.96,
>> Framed-Route = "72.131.131.96/29 0.0.0.0 1",
>>
>> would not route correctly the netblock in question.  Sessions would  
>> come up however the routes were not correctly utilized by traffic  
>> flows.
>>
>> Therefore, are any utilizing MPF successfully, and as well, what is  
>> the recommended IOS for the 7204VXR+NPE-G1 platform for PPPoE  
>> termination over L2TP?   What are IOS recommendations for this  
>> application and platform?  We currently handle approximately 2500  
>> PPPoE users per box.
>>
>> Thanks in advance,
>>
>> C. Flav
>>
>>
>>       
>> __________________________________________________________________
>> Looking for the perfect gift? Give the gift of Flickr!
>>
>> http://www.flickr.com/gift/
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From lists at memetic.org  Mon Dec 15 17:03:31 2008
From: lists at memetic.org (Adam Armstrong)
Date: Mon, 15 Dec 2008 22:03:31 +0000
Subject: [c-nsp] IOS for 7204VXR-G1 + MPF
In-Reply-To: <80B3E476-F7EE-412A-AEE6-E07D7376B123@gmail.com>
References: <225631.45874.qm@web111115.mail.gq1.yahoo.com>	<20081215195315.GE5403@rtp-cse-489.cisco.com>
	<80B3E476-F7EE-412A-AEE6-E07D7376B123@gmail.com>
Message-ID: <4946D433.2080403@memetic.org>

Rado Vasilev wrote:
> Hi Rodney,
>
> I was wondering the last few days what would be the ideal Cisco 
> platform for higher performance VPDN?
> Currently I'm using 7301/7200-NPE-G2 routers and don't like the idea 
> of splitting the load to more and more LNS/LAC devices.
> Would the future proof platform with HW capabilities be the ASR1000 or 
> something else?
We're planning to deploy ASR1ks for exactly this reason. The only sting 
is the cost of broadband licenses for the ASR. They cost several times 
more than the licenses on the 7200!

adam.

From peter at rathlev.dk  Mon Dec 15 18:03:46 2008
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 16 Dec 2008 00:03:46 +0100
Subject: [c-nsp] Combining multiple vlans into a single vlan.
In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC019D8@tiger.deltadentalwa.com>
References: <BCD3E762F1767C42A5226BBACDE49BFBB2BD14@loki.acs.local>
	<1228786530.3953.2.camel@localhost.localdomain>
	<BCD3E762F1767C42A5226BBACDE49BFB6FCCE5@loki.acs.local>
	<1229286797.10792.89.camel@localhost.localdomain>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC019D8@tiger.deltadentalwa.com>
Message-ID: <1229382226.3297.53.camel@localhost.localdomain>

On Mon, 2008-12-15 at 09:52 -0800, Teller, Robert wrote:
> Could you also use private vlans?

I cannot see how it could work, though private VLAN technology isn't my
strongest side, to put it mildly.

The thing I can't see how to achieve would be receiving two different
VLANs on the same physical port using PVLANs. If you had two different
physical ports the job would of course be simple without PVLANs or any
tricks.

I still fail to see why one would do this though. Knowing the ultimate
goal would help finding the right tool for the job. :-)

Regards,
Peter



From erpa22276 at yahoo.com  Mon Dec 15 19:41:03 2008
From: erpa22276 at yahoo.com (Per A)
Date: Mon, 15 Dec 2008 16:41:03 -0800 (PST)
Subject: [c-nsp] OPSF over a Lan-to-Lan VPN tunnel
Message-ID: <580935.28686.qm@web36206.mail.mud.yahoo.com>

This is an exersize in learning, and I'm getting stuck on the OSPF/Routing piece.
?
What I am wanting to do is build a Lan-to-Lan VPN network between a 2811 and a 3005.? Once that is done, inner routers at each site will run OSPF/Routing Protocol?and should populate routes between the sites.
?
I have built the VPN Lan-to-Lan sucessfully, but I am not able to get the Inner Routers to build neighbor relationships. Likely, I am missing something fundamental.
?
The outer/gateway/vpn devices at each site (2800 and 3005) are not participating in OSPF.? I have configured the near and far side networks on each VPN device and have full connectivity between all clients at both sites.? My challenge is to get the gateway devices to forward the OSPF Multicasts to the far side network and delivered to the Inner Router.
?
I understand that the Neighbor Relationship is built with Hello Messages between routers that share a common segment.? I assumed that the VPN tunnel between sites would simulate this "common segment" function by identifying the multicast traffic as "interesting" and thus forward the multicast to the far end.? To get to this, I used an access list to identify the source networks and then identified the destination as 224.0.0.5 0.0.0.0, thinking that the local VPN device would see the multicast communication from the Inner Router and encapsulate it for passage to the far end.? Once arriving, the far end would un-encapsulate it and deliver it to the inside interface where the far end Inner Router would recieve the multicast Hello message.
?
Here is what the network looks like:
?
Site1_InnerRouter----Site1_3005----Internet----Site2_2811----Site2_InnerRouter
?
So my assumption is that this is not working because the two Inner Routers do not share the "common segment" which likely requires identical subnet/mask.? 
?
Is there any way to make this kind of environment work, or possibly an alternative solution where the Outer/VPN devices do not participate in the Routing Protocol but the Inner Routers do?
?
Thanks for any assistance you can offer.


      

From RTeller at deltadentalwa.com  Mon Dec 15 19:51:15 2008
From: RTeller at deltadentalwa.com (Teller, Robert)
Date: Mon, 15 Dec 2008 16:51:15 -0800
Subject: [c-nsp] OPSF over a Lan-to-Lan VPN tunnel
In-Reply-To: <580935.28686.qm@web36206.mail.mud.yahoo.com>
References: <580935.28686.qm@web36206.mail.mud.yahoo.com>
Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC019E7@tiger.deltadentalwa.com>

You are going to have to use a combination of GRE and ISAKMP to get this to work. Routing updates are not passed through vpns natively.


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Per A
Sent: Monday, December 15, 2008 4:41 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] OPSF over a Lan-to-Lan VPN tunnel

This is an exersize in learning, and I'm getting stuck on the OSPF/Routing piece.
?
What I am wanting to do is build a Lan-to-Lan VPN network between a 2811 and a 3005.? Once that is done, inner routers at each site will run OSPF/Routing Protocol?and should populate routes between the sites.
?
I have built the VPN Lan-to-Lan sucessfully, but I am not able to get the Inner Routers to build neighbor relationships. Likely, I am missing something fundamental.
?
The outer/gateway/vpn devices at each site (2800 and 3005) are not participating in OSPF.? I have configured the near and far side networks on each VPN device and have full connectivity between all clients at both sites.? My challenge is to get the gateway devices to forward the OSPF Multicasts to the far side network and delivered to the Inner Router.
?
I understand that the Neighbor Relationship is built with Hello Messages between routers that share a common segment.? I assumed that the VPN tunnel between sites would simulate this "common segment" function by identifying the multicast traffic as "interesting" and thus forward the multicast to the far end.? To get to this, I used an access list to identify the source networks and then identified the destination as 224.0.0.5 0.0.0.0, thinking that the local VPN device would see the multicast communication from the Inner Router and encapsulate it for passage to the far end.? Once arriving, the far end would un-encapsulate it and deliver it to the inside interface where the far end Inner Router would recieve the multicast Hello message.
?
Here is what the network looks like:
?
Site1_InnerRouter----Site1_3005----Internet----Site2_2811----Site2_InnerRouter
?
So my assumption is that this is not working because the two Inner Routers do not share the "common segment" which likely requires identical subnet/mask.? 
?
Is there any way to make this kind of environment work, or possibly an alternative solution where the Outer/VPN devices do not participate in the Routing Protocol but the Inner Routers do?
?
Thanks for any assistance you can offer.


      
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


#########################################################
The information contained in this e-mail and subsequent attachments may be privileged, 
confidential and protected from disclosure.  This transmission is intended for the sole 
use of the individual and entity to whom it is addressed.  If you are not the intended 
recipient, any dissemination, distribution or copying is strictly prohibited.  If you 
think that you have received this message in error, please e-mail the sender at the above 
e-mail address.
#########################################################


From peter at rathlev.dk  Mon Dec 15 19:55:27 2008
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 16 Dec 2008 01:55:27 +0100
Subject: [c-nsp] OPSF over a Lan-to-Lan VPN tunnel
In-Reply-To: <580935.28686.qm@web36206.mail.mud.yahoo.com>
References: <580935.28686.qm@web36206.mail.mud.yahoo.com>
Message-ID: <1229388927.3297.55.camel@localhost.localdomain>

On Mon, 2008-12-15 at 16:41 -0800, Per A wrote:
> Is there any way to make this kind of environment work, or possibly an
> alternative solution where the Outer/VPN devices do not participate in
> the Routing Protocol but the Inner Routers do?

Why not use a GRE tunnel between the two inner routers and then run OSPF
on that one? You'd have to accept MTU/fragmentation challenges, but it
would be very clean.

Regards,
Peter



From spinthiras.mario at gmail.com  Mon Dec 15 20:04:30 2008
From: spinthiras.mario at gmail.com (Mario Spinthiras)
Date: Tue, 16 Dec 2008 03:04:30 +0200
Subject: [c-nsp] OPSF over a Lan-to-Lan VPN tunnel
In-Reply-To: <1229388927.3297.55.camel@localhost.localdomain>
References: <580935.28686.qm@web36206.mail.mud.yahoo.com>
	<1229388927.3297.55.camel@localhost.localdomain>
Message-ID: <4f890e580812151704y226262fbp1caaecce2fcd63a3@mail.gmail.com>

use a gre tunnel. i have a tutorial here on it.

http://www.spinthiras.net/2007/11/24/vpn-via-tunnel-interfaces/

do that n run ospf on top.

remember that tunnel ifaces are to be treated like normal ifaces,

regards,

mario

From spinthiras.mario at gmail.com  Mon Dec 15 20:08:06 2008
From: spinthiras.mario at gmail.com (Mario Spinthiras)
Date: Tue, 16 Dec 2008 03:08:06 +0200
Subject: [c-nsp] Combining multiple vlans into a single vlan.
In-Reply-To: <1229382226.3297.53.camel@localhost.localdomain>
References: <BCD3E762F1767C42A5226BBACDE49BFBB2BD14@loki.acs.local>
	<1228786530.3953.2.camel@localhost.localdomain>
	<BCD3E762F1767C42A5226BBACDE49BFB6FCCE5@loki.acs.local>
	<1229286797.10792.89.camel@localhost.localdomain>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC019D8@tiger.deltadentalwa.com>
	<1229382226.3297.53.camel@localhost.localdomain>
Message-ID: <4f890e580812151708g346232ahc83a67eb3fb4f0d3@mail.gmail.com>

I know on the Allied Telesis boxes you can do VLAN translations from
one vlan to another. Is there no way of doing multiple translations on
a Cisco? Havent really had the need to do something like this before
however I guess bridge groups could be useful. How would you overcome
the STP problems that might arise though?


Regards,
Mario A. Spinthiras
http://www.spinthiras.net/

From jcartier at acs.on.ca  Mon Dec 15 20:10:31 2008
From: jcartier at acs.on.ca (Jeff Cartier)
Date: Mon, 15 Dec 2008 20:10:31 -0500
Subject: [c-nsp] Combining multiple vlans into a single vlan.
References: <BCD3E762F1767C42A5226BBACDE49BFBB2BD14@loki.acs.local><1228786530.3953.2.camel@localhost.localdomain><BCD3E762F1767C42A5226BBACDE49BFB6FCCE5@loki.acs.local><1229286797.10792.89.camel@localhost.localdomain><06C1E76E03FE9C4B85BFA9C75365D9DA0FC019D8@tiger.deltadentalwa.com><1229382226.3297.53.camel@localhost.localdomain>
	<4f890e580812151708g346232ahc83a67eb3fb4f0d3@mail.gmail.com>
Message-ID: <BCD3E762F1767C42A5226BBACDE49BFB6FCCF1@loki.acs.local>

The ME3750's support 1:1 vlan mappings...you can also do 1:1 vlan mappings over EoMPLS.

The ideal solution to this would be VPLS.


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net on behalf of Mario Spinthiras
Sent: Mon 12/15/2008 8:08 PM
To: Peter Rathlev
Cc: Teller, Robert; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Combining multiple vlans into a single vlan.
 
I know on the Allied Telesis boxes you can do VLAN translations from
one vlan to another. Is there no way of doing multiple translations on
a Cisco? Havent really had the need to do something like this before
however I guess bridge groups could be useful. How would you overcome
the STP problems that might arise though?


Regards,
Mario A. Spinthiras
http://www.spinthiras.net/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From andy.saykao at staff.netspace.net.au  Mon Dec 15 20:25:50 2008
From: andy.saykao at staff.netspace.net.au (Andy Saykao)
Date: Tue, 16 Dec 2008 12:25:50 +1100
Subject: [c-nsp] Question about class-map, policy-map and TOS field?
Message-ID: <56F211C5E3F24F47B103EA1B253822BE03654AF8@vic-cr-ex1.staff.netspace.net.au>

Hi All,
 
We're trying to reduce the CPU on one of our core routers (7606)  by
using class-map and applying the policy-map to the interface rather then
the old PBR way of "ip policy route-map".
 
Here's our current config using the PBR way of doing things:
 
interface GigabitEthernet4/1/1
 bandwidth 1000000
 ip address A.B.C.D 255.255.255.128
 ip route-cache policy
 ip policy route-map TOS-TAG-IX
 load-interval 30
 no negotiation auto
!
route-map TOS-TAG-IX permit 10
 set ip tos 15
 
Basically all traffic coming in via this interface has their TOS field
set to 15. 
 
We've had an upsurge of traffic coming into this interface and this has
caused our CPU to shoot through the roof.
 
>From my research, PBR can be rather CPU intensive because packets are
process switched. We've been advised to use the new way of marking
traffic with class-map and policy-map.
 
What I don't get is - how do we set an ip tos value of 15 using
policy-map when that option doesn't exist (see below).
 
Router(config)#policy-map TOS-TAG-IX-POLICY
Router(config-pmap)#class TOS-TAG-IX-CLASS
Router(config-pmap-c)#set ip ?
  dscp        Set IP DSCP (DiffServ CodePoint)
  precedence  Set IP precedence

How do I set it so the incoming packets are marked with a TOS of 15 with
policy-map???
 
Thanks.
 
Andy
 

This email and any files transmitted with it are confidential and intended
 solely for the use of the individual or entity to whom they are addressed. 
Please notify the sender immediately by email if you have received this 
email by mistake and delete this email from your system. Please note that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation. 
Finally, the recipient should check this email and any attachments for 
the presence of viruses. The organisation accepts no liability for any 
damage caused by any virus transmitted by this email.


From Curtis at GreenKey.net  Mon Dec 15 21:49:59 2008
From: Curtis at GreenKey.net (Curtis Doty)
Date: Mon, 15 Dec 2008 18:49:59 -0800
Subject: [c-nsp] Question about class-map, policy-map and TOS field?
In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE03654AF8@vic-cr-ex1.staff.netspace.net.au>
References: <56F211C5E3F24F47B103EA1B253822BE03654AF8@vic-cr-ex1.staff.netspace.net.au>
Message-ID: <49471757.4010808@GreenKey.net>

Andy Saykao wrote:
> What I don't get is - how do we set an ip tos value of 15 using
> policy-map when that option doesn't exist (see below).
>  
> Router(config)#policy-map TOS-TAG-IX-POLICY
> Router(config-pmap)#class TOS-TAG-IX-CLASS
> Router(config-pmap-c)#set ip ?
>   dscp        Set IP DSCP (DiffServ CodePoint)
>   precedence  Set IP precedence
>
> How do I set it so the incoming packets are marked with a TOS of 15 with
> policy-map???
>  
>   


The 6 dscp bits are a superset of the 3 old precedence bits.

If you could setttle for only tos 14, then maybe set ip dscp 7. But
alas, you wouldn't be setting the minimize cost bit. Which is now used
for ECN.

http://tools.ietf.org/html/rfc3168#section-22

../C

From chris.flav at yahoo.ca  Mon Dec 15 23:09:13 2008
From: chris.flav at yahoo.ca (chris.flav at yahoo.ca)
Date: Tue, 16 Dec 2008 04:09:13 +0000
Subject: [c-nsp] IOS for 7204VXR-G1 + MPF
Message-ID: <669598370-1229400549-cardhu_decombobulator_blackberry.rim.net-861950734-@bxe106.bisx.prod.on.blackberry>

>Vague recollection is that the general consensus is

>MPF is a feature best avoided.  There will be little

>future support.  Cisco has EOL'd MPF


Hello,

MPF is out.  Noted.  What is the best-practice IOS for use in a PPPoE over L2TP environment?

Thanks again,

C. Flav

Sent from my BlackBerry device on the Rogers Wireless Network


From howard at leadmon.net  Tue Dec 16 01:46:12 2008
From: howard at leadmon.net (Howard Leadmon)
Date: Tue, 16 Dec 2008 01:46:12 -0500
Subject: [c-nsp] Cat6500 sup2 boot from PCMCIA
In-Reply-To: <EB9C8DD013C59D47BEEEC1A1DD7AC951858ED23623@exlpz.alphasys.bo>
References: <EB9C8DD013C59D47BEEEC1A1DD7AC951858ED23623@exlpz.alphasys.bo>
Message-ID: <04b401c95f4a$016f9bc0$044ed340$@net>


  Had the same issue here with a couple 6500/SUP2's, and the Flash Card's
were working, but after a format got flakey.  The only real end solution we
found that worked was to take and replace them with a different flash card,
till we got one it was happy with.  Actually went though a couple cards,
till we found one that all the SUP2's seemed to accept, and after that life
was good..


---
Howard Leadmon 


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of David Lima
> Sent: Friday, December 12, 2008 10:41 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cat6500 sup2 boot from PCMCIA
> 
> Hi all, I have a Cat6500 x6k-sup2-2ge running an IOS software.
> 
> My problem is that I'm stuck in rommon mode after the IOS upgrade. Now
> I have A PCMCIA and I want to boot the new IOS from the PCMCIA.
> 
> I cannot format the PCMCIA from the rommon mode.
> 
> How can I format the PCMCIA? The only way is format from the target
> Catatalyst switch?
> 
> All these because I have an error about invalid magic number when I
> insert the PCMCIA card into the Supervisor2 slot in rommon mode.
> 
> Please I need your help,
> 
> Thanks in advance.
> 
> David
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From karl.gaissmaier at uni-ulm.de  Tue Dec 16 05:15:38 2008
From: karl.gaissmaier at uni-ulm.de (Karl Gaissmaier)
Date: Tue, 16 Dec 2008 11:15:38 +0100
Subject: [c-nsp] High SNMP CPU with SXH.  Is  SXI any better?
In-Reply-To: <49429EA7.6060805@imperial.ac.uk>
References: <0616C55E-DF02-46D0-885A-A33429759938@princeton.edu>	<23CBC8DC-C2EF-4EB8-9FEB-757DDA478C5B@wisc.edu>
	<49429EA7.6060805@imperial.ac.uk>
Message-ID: <49477FCA.2020601@uni-ulm.de>

Hi all,

Phil Mayers schrieb:
>> I haven't looked into it, but perhaps you can find a cisco specific
>> mib, maybe cef or mls specific that doesn't have this performance
> 
> CISCO-SWITCH-ENGINE-MIB::cseCef* are the ones. However, they contain 
> basically the entire FIB & adjacency entries. They're faster to walk, 
> but their size can make the whole process slower :o(

If you use the cseCefAdjacencyTable, the number of entries are
similar to the ipNetToMediaTable.

My tests showed, that fetching the ipNetToMediaTable
stresses the route processor at ~90% cpu load.

Fetching the cseCefAdjacencyTable stresses the switch processor
and the route processor together, but now both processors at
~50% cpu load.

> 
>> penalty?  Otherwise, I bet a query via clogin outperforms the snmp
>> table.
> 
> It certainly does. ~10 seconds versus ~2min 30sec on our busiest router.

Example:

a column from the MIB-II ipNetToMediaTable
==========================================

unix$ time snmpbulkwalk -v 2c cat65-box 1.3.6.1.2.1.4.22.1.2

5595 entries

real	0m11.699s
user	0m0.128s
sys	0m0.020s

a column from the CISCO-SWITCH-ENGINE cseCefAdjacencyTable
==========================================================

unix$ snmpbulkwalk -v 2c cat65-box 1.3.6.1.4.1.9.9.97.1.8.3.1.4

6044 entries

real	0m4.055s
user	0m0.152s
sys	0m0.028s

> Cisco - Offering the very best in 1970s Network Management Technology...

ACK!

Best Regards
	Charly
-- 
Karl Gaissmaier
Kommunikations und Informationszentrum kiz
der Universit?t Ulm
Abteilung Infrastruktur
SG Netzwerk und Telekommunikation
89069 Ulm
Tel.: 49(0)731/50-22499 Fax : 49(0)731/50-1222499

From borgtinderne at btinternet.com  Tue Dec 16 07:41:04 2008
From: borgtinderne at btinternet.com (Borg Tinderne)
Date: Tue, 16 Dec 2008 12:41:04 +0000 (GMT)
Subject: [c-nsp] Question about class-map, policy-map and TOS field?
Message-ID: <306268.52591.qm@web87011.mail.ird.yahoo.com>

Related question.? Has anyone seen a decent description of 7600 QOS by card type ?? Catalyst PFC?, Catalyst DFC?, flexwan , OSM, OSM bb2 , sip200/400/600 , ES20 , ES+ .. ???have there been others ???

For the question given

if ( ingress ~ /Catalyst|OSM|SIP-600/ )
?? {
?? input policy / class / police line_rate conform-action set-prec-transmit 15
?? }

No more that a guess based on a 2002 & 2007 ppt from Cisco on 7600 QoS.

From SPfister at dps.k12.oh.us  Tue Dec 16 11:56:59 2008
From: SPfister at dps.k12.oh.us (Steven Pfister)
Date: Tue, 16 Dec 2008 11:56:59 -0500
Subject: [c-nsp] Question on CPU utilization
Message-ID: <4947978A.9E6F.00B8.0@dps.k12.oh.us>

We've got several remote sites that have a 3500XL switch running 12.0(5)WC17 as the core of their network. All of them are showing cpu utilization around 35-55% pretty much constantly.

- is this too high? Shouldn't it be more like <= 10% most of the time?
- how can I troubleshoot this? I've seen some steps on cisco.com, but they don't seem to indicate where the problem might be. I didn't see anything under the bug toolkit for this IOS that sounds like the problem I'm having, but should I try upgrading anyway?

Thanks!

Steve Pfister
Technical Coordinator, 
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St. 
Dayton, OH 45402
 
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us



From geoff at pendery.net  Tue Dec 16 12:02:32 2008
From: geoff at pendery.net (Geoffrey Pendery)
Date: Tue, 16 Dec 2008 11:02:32 -0600
Subject: [c-nsp] Question on CPU utilization
In-Reply-To: <4947978A.9E6F.00B8.0@dps.k12.oh.us>
References: <4947978A.9E6F.00B8.0@dps.k12.oh.us>
Message-ID: <d6966e4b0812160902k57d5878cj2cf3298247b681b@mail.gmail.com>

My first post on the list, but I know this one, so I figured I'd speak up.

30-50% CPU util is normal idle level on the 3500XL series:

http://www.cisco.com/en/US/products/hw/switches/ps607/products_tech_note09186a0080094e78.shtml

So don't get too concerned unless it gets up towards the 80-90% range,
or you see actual network impact.

-Geoff Pendery


On Tue, Dec 16, 2008 at 10:56 AM, Steven Pfister <SPfister at dps.k12.oh.us> wrote:
> We've got several remote sites that have a 3500XL switch running 12.0(5)WC17 as the core of their network. All of them are showing cpu utilization around 35-55% pretty much constantly.
>
> - is this too high? Shouldn't it be more like <= 10% most of the time?
> - how can I troubleshoot this? I've seen some steps on cisco.com, but they don't seem to indicate where the problem might be. I didn't see anything under the bug toolkit for this IOS that sounds like the problem I'm having, but should I try upgrading anyway?
>
> Thanks!
>
> Steve Pfister
> Technical Coordinator,
> The Office of Information Technology
> Dayton Public Schools
> 115 S. Ludlow St.
> Dayton, OH 45402
>
> Office (937) 542-3149
> Cell (937) 673-6779
> Direct Connect: 137*131747*8
> Email spfister at dps.k12.oh.us
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From streiner at cluebyfour.org  Tue Dec 16 12:07:44 2008
From: streiner at cluebyfour.org (Justin M. Streiner)
Date: Tue, 16 Dec 2008 12:07:44 -0500 (EST)
Subject: [c-nsp] Question on CPU utilization
In-Reply-To: <4947978A.9E6F.00B8.0@dps.k12.oh.us>
References: <4947978A.9E6F.00B8.0@dps.k12.oh.us>
Message-ID: <Pine.LNX.4.64.0812161202070.28844@whammy.cluebyfour.org>

On Tue, 16 Dec 2008, Steven Pfister wrote:

> We've got several remote sites that have a 3500XL switch running 
> 12.0(5)WC17 as the core of their network. All of them are showing cpu 
> utilization around 35-55% pretty much constantly.
>
> - is this too high? Shouldn't it be more like <= 10% most of the time?
> - how can I troubleshoot this? I've seen some steps on cisco.com, but they don't seem to indicate where the problem might be. I didn't see anything under the bug toolkit for this IOS that sounds like the problem I'm having, but should I try upgrading anyway?

Is something broken or degraded because of what you're seeing in terms of 
CPU utilization?  Are there any odd messages in the logs, or SNMP traps, 
if you're receiving them?  Is there something else, like a published bug 
or security vulnerability that would prompt an upgrade?  If not, and the 
users aren't reporting any problems, you can probably leave the switches 
alone.

jms

From achatz at forthnet.gr  Tue Dec 16 12:10:54 2008
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Tue, 16 Dec 2008 19:10:54 +0200
Subject: [c-nsp] Question on CPU utilization
In-Reply-To: <4947978A.9E6F.00B8.0@dps.k12.oh.us>
References: <4947978A.9E6F.00B8.0@dps.k12.oh.us>
Message-ID: <4947E11E.30507@forthnet.gr>

Don't worry. It's normal ;)

http://www.cisco.com/en/US/products/hw/switches/ps607/products_tech_note09186a0080094e78.shtml

--
Tassos

Steven Pfister wrote on 16/12/2008 18:56:
> We've got several remote sites that have a 3500XL switch running 12.0(5)WC17 as the core of their network. All of them are showing cpu utilization around 35-55% pretty much constantly.
> 
> - is this too high? Shouldn't it be more like <= 10% most of the time?
> - how can I troubleshoot this? I've seen some steps on cisco.com, but they don't seem to indicate where the problem might be. I didn't see anything under the bug toolkit for this IOS that sounds like the problem I'm having, but should I try upgrading anyway?
> 
> Thanks!
> 
> Steve Pfister
> Technical Coordinator, 
> The Office of Information Technology
> Dayton Public Schools
> 115 S. Ludlow St. 
> Dayton, OH 45402
>  
> Office (937) 542-3149
> Cell (937) 673-6779
> Direct Connect: 137*131747*8
> Email spfister at dps.k12.oh.us
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From billf at mu.org  Tue Dec 16 16:37:46 2008
From: billf at mu.org (bill fumerola)
Date: Tue, 16 Dec 2008 13:37:46 -0800
Subject: [c-nsp] SoO causing 1-member update groups
Message-ID: <20081216213746.GY97614@elvis.mu.org>

i don't run any MPLS or anything like that, so i decided to steal the
SoO ext community for use as a generic "which colo was this route
originated from/learned in" community. the fact that it pretty printed
it on one line in the CLI had something to do with it.

anyways, after adding it on one of my routers, a previously 20 member
update group became 20 independent update groups all w/ the same SoO
community set. and that's my question: why would all of these become
independent update groups? is it because the loop protection changes the
outbound logic such that messages can't be replicated?

also, some of these displayed in the update-groups as:
  Site-of-Origin is 0x0:0:0 (2 different update groups)
  Site-of-Origin is 0xEF43:8653:1627824172 (5 different update groups)
  Site-of-Origin is 0xD0D:3341:218959117 (4 different update groups)
when the only thing that was set was:
  Site-of-Origin is SoO:36692:2

why does adding an external community to a route (via a route-map)
impact the neighbor itself? i realize in later versions of IOS this
command was added to the per-{neighbor,peer-group,peer-policy} stanzas.

i guess that's what i get for trying to steal a special-use community
for my own usage. i just didn't expect the update group madness (they
were all set to the same SoO) or the corruption.

i'm just curious about all of this, it didn't have any operational impact.

-- bill



p.s. just for kicks, i ran 'clear ip bgp update-group', which according to
     http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/s_bgpdpg.html
     "Clears BGP update membership and recalculates BGP update-groups."
     but it actually reset all the neighbors themselves. yay docs.


From spencer at ceiva.com  Tue Dec 16 16:44:48 2008
From: spencer at ceiva.com (Spencer Barnes)
Date: Tue, 16 Dec 2008 13:44:48 -0800
Subject: [c-nsp] Cisco 7206 - High CPU Utilization
Message-ID: <0BE527EE61205F409B0EDB4F6544552E01BE20D4@stewie.ceiva.local>

Greetings,

 

I have a Cisco 7206 (non-VXR) with an NPE-225.  It has a PA-T3 card with
a DS3 plugged in serving as our WAN port and a PA-FE-TX linking to
another router that serves as our core router.  The T3/Serial interface
has a VPN endpoint configured and it is connected to a remote site that
we use for off-site backups.  

 

The CPU utilization goes through the roof (90 and up) when I upload
files from our network to the remote network.  I do not see this problem
when I am downloading to our network.  I put a throttle in place on the
remote side limiting the connection to 6 Mb/s and that helped (before
the throttle it would stick at 99% when copying).  The majority of the
CPU usage is in IP input and encrypt proc.  If I take the VPN out of the
picture, CPU utilization is in the 40-50% ballpark which still seems
high to me and obviously the VPN is having a dramatic effect on CPU
usage.  The average amount of bandwidth used and the packets per second
rate are both low (less than 10 Mb/s and around 1000-1500 pps) for the
interfaces.  

 

Should this model of router be capable of handling a heavily used VPN
tunnel running at about 6 Mb/s?  

If I eliminate the VPN, shouldn't this model of router be able to handle
at least 25% of a T3's capacity? 

If the answer to either questions is no, what is the lowest end Cisco
router you would recommend?

 

Random notes:

 

Very minimal config.  IP CEF is globally enabled.  Turbo ACLs are
enabled.   Steady amount of flushes incrementing on PA-FE-TX (FA2/0)
interface but not T3.  

 

interface Serial1/0

 description [WAN]

 mtu 1500

 ip address xxx 255.255.255.252

 ip access-group 100 in

 ip access-group 103 out

 ip flow ingress

 ip nat outside

 no ip virtual-reassembly

 ip route-cache policy

 ip route-cache flow

 ipv6 enable

 dsu bandwidth 44210

 framing c-bit

 cablelength 50

 serial restart-delay 0

 no cdp enable

 crypto map myvpn

 hold-queue 1500 in

!

interface FastEthernet2/0

 description [Uplink] Connected to Core FA1/0

 ip address 10.1.1.1 255.255.255.0

 ip flow ingress

 ip nat inside

 no ip virtual-reassembly

 ip route-cache policy

 ip route-cache flow

 duplex full

 ipv6 address xxx

 ipv6 enable

 hold-queue 1500 in

 

FastEthernet2/0 is up, line protocol is up 

  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, 

     reliability 255/255, txload 7/255, rxload 16/255

  Full-duplex, 100Mb/s, 100BaseTX/FX

  Last clearing of "show interface" counters 02:06:23

  Input queue: 5/1500/0/8034 (size/max/drops/flushes); Total output
drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 6561000 bits/sec, 772 packets/sec

  5 minute output rate 3026000 bits/sec, 658 packets/sec

     6397481 packets input, 6506974856 bytes

     Received 171 broadcasts, 0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog

     0 input packets with dribble condition detected

     5532333 packets output, 3232118493 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 unknown protocol drops

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier

     0 output buffer failures, 0 output buffers swapped out

 

 

 

Thank you in advance!

 

Spencer

 


From billf at mu.org  Tue Dec 16 19:04:05 2008
From: billf at mu.org (bill fumerola)
Date: Tue, 16 Dec 2008 16:04:05 -0800
Subject: [c-nsp] bgp multipath-relax + dmzlink
Message-ID: <20081217000405.GA97614@elvis.mu.org>

config:
 bgp bestpath as-path multipath-relax
 bgp dmzlink-bw

  neighbor aa.bb.cc.73 dmzlink-bw
  neighbor xxx.yyy.zzz.77 dmzlink-bw

interface bandwidth settings:

rtr1#show ip route aa.bb.cc.73 | i direct
  * directly connected, via GigabitEthernet0/0.5
rtr1#show int gi0/0.5 | i BW
  MTU 1500 bytes, BW 9000 Kbit, DLY 10 usec,
rtr1#show ip route xxx.yyy.zzz.77 | i direc
  * directly connected, via GigabitEthernet0/0.3
rtr1#show int gi0/0.3 | i BW 
  MTU 1500 bytes, BW 55000 Kbit, DLY 10 usec,
rtr1#

bgp shows the proper DMZ-link BW:

rtr1#show ip bgp 4.23.94.0
[...]
  2914 7018 46164
    xxx.yyy.zzz.77 from xxx.yyy.zzz.77 (129.250.0.19)
      Origin IGP, metric 0, localpref 100, weight 10000, valid, external, multipath
      Community: 2914:420 2914:2000 2914:3000 36692:10210 no-export
      DMZ-Link Bw 6875 kbytes
  701 7018 46164
    aa.bb.cc.73 from aa.bb.cc.73 (137.39.2.70)
      Origin IGP, metric 0, localpref 100, weight 10000, valid, external, multipath, best
      Community: 36692:10210 no-export
      DMZ-Link Bw 1125 kbytes

here's the problem:

rtr1#show ip route 4.23.94.0
Routing entry for 4.23.94.0/23
  Known via "bgp 36692", distance 20, metric 0
  Tag 701, type external
  Last update from aa.bb.cc.73 00:24:40 ago
  Routing Descriptor Blocks:
  * xxx.yyy.zzz.77, from xxx.yyy.zzz.77, 00:24:40 ago
      Route metric is 0, traffic share count is 1
      AS Hops 3
      Route tag 701
    aa.bb.cc.73, from aa.bb.cc.73, 00:24:40 ago
      Route metric is 0, traffic share count is 10
      AS Hops 3
      Route tag 701

the traffic share count is the inverse of what it should be (1:10 when
it should be 7:1).

this is confirmed by cef:

rtr1#show ip cef 4.23.94.0 int     
4.23.94.0/23, epoch 0, RIB[B], refcount 5, per-destination sharing
  sources: RIB
  feature space:
   IPRM: 0x00018000
  ifnums:
   GigabitEthernet0/0.3(14): xxx.yyy.zzz.77
   GigabitEthernet0/0.5(15): aa.bb.cc.73
   path_list contains at least one resolved destination(s). HW not notified
  path 63DC37C4, path list 502C51E0, share 1/1, type recursive nexthop, for IPv4, flags resolved
  recursive via xxx.yyy.zzz.77[IPv4:Default], fib 2A195DFC, 1 terminal fib
    path 28F39760, path list 28ACD5A8, share 0/1, type adjacency prefix, for IPv4
    attached to GigabitEthernet0/0.3, adjacency IP adj out of GigabitEthernet0/0.3, addr xxx.yyy.zzz.77 5038CE40
  path 28F3A664, path list 502C51E0, share 10/10, type recursive nexthop, for IPv4, flags resolved
  recursive via aa.bb.cc.73[IPv4:Default], fib 2026A89C, 1 terminal fib
    path 63DC5360, path list 502C6E90, share 0/1, type adjacency prefix, for IPv4
    attached to GigabitEthernet0/0.5, adjacency IP adj out of GigabitEthernet0/0.5, addr aa.bb.cc.73 5038CFC0
  output chain:
    loadinfo 63DBB918, per-session, 2 choices, flags 0003, 126665 locks
    flags: Per-session, for-rx-IPv4
    11 hash buckets
      < 0 > IP adj out of GigabitEthernet0/0.3, addr xxx.yyy.zzz.77 5038CE40
      < 1 > IP adj out of GigabitEthernet0/0.5, addr aa.bb.cc.73 5038CFC0
      < 2 > IP adj out of GigabitEthernet0/0.5, addr aa.bb.cc.73 5038CFC0
      < 3 > IP adj out of GigabitEthernet0/0.5, addr aa.bb.cc.73 5038CFC0
      < 4 > IP adj out of GigabitEthernet0/0.5, addr aa.bb.cc.73 5038CFC0
      < 5 > IP adj out of GigabitEthernet0/0.5, addr aa.bb.cc.73 5038CFC0
      < 6 > IP adj out of GigabitEthernet0/0.5, addr aa.bb.cc.73 5038CFC0
      < 7 > IP adj out of GigabitEthernet0/0.5, addr aa.bb.cc.73 5038CFC0
      < 8 > IP adj out of GigabitEthernet0/0.5, addr aa.bb.cc.73 5038CFC0
      < 9 > IP adj out of GigabitEthernet0/0.5, addr aa.bb.cc.73 5038CFC0
      <10 > IP adj out of GigabitEthernet0/0.5, addr aa.bb.cc.73 5038CFC0

soooo.. is it possible to get working unequal load sharing across two
different ASNs? i wouldn't need the hidden 'bgp bestpath as-path
multipath-relax' if they were the same ASN, but if they were the same
ASN i wouldn't be trying to meet different target commit rates.

i tried to simply flip the bandwidths to get what i want, but that made
things even worse:

  2914 7018 46164
    xxx.yyy.zzz.77 from xxx.yyy.zzz.77 (129.250.0.19)
      Origin IGP, metric 0, localpref 100, weight 10000, valid, external, multipath
      Community: 2914:420 2914:2000 2914:3000 36692:10210 no-export
      DMZ-Link Bw 1250 kbytes
  701 7018 46164
    aa.bb.cc.73 from aa.bb.cc.73 (137.39.2.70)
      Origin IGP, metric 0, localpref 100, weight 10000, valid, external, multipath, best
      Community: 36692:10210 no-export

Routing entry for 4.23.94.0/23
  Known via "bgp 36692", distance 20, metric 0
  Tag 701, type external
  Last update from aa.bb.cc.73 00:00:33 ago
  Routing Descriptor Blocks:
  * xxx.yyy.zzz.77, from xxx.yyy.zzz.77, 00:00:33 ago
      Route metric is 0, traffic share count is 1
      AS Hops 3
      Route tag 701
    aa.bb.cc.73, from aa.bb.cc.73, 00:00:33 ago
      Route metric is 0, traffic share count is 48
      AS Hops 3
      Route tag 701

i set the bandwidth on the 2914 link to be 100:1 the bandwidth of the
701 link and no matter what, i always get the 1:10 ratio in the wrong
direction.

this is on 12.2(31)SB11.

-- bill

From als at cell.ru  Wed Dec 17 01:40:31 2008
From: als at cell.ru (Alexander Serkin)
Date: Wed, 17 Dec 2008 09:40:31 +0300
Subject: [c-nsp] configuring proxy-mobile IP on PDSN 3.0 (12.3(14)YX13
Message-ID: <49489EDF.2040308@cell.ru>

Hi.
Is someone running Cisco PDSN here?
Could anybody looking at my debug tell me what's wrong with establishing 
proxy-mobile IP session from PDSN?
The problem is that the session even isn't forwarded to Home Agent for 
some reason:

Nov  6 18:10:00.832: RADIUS(00134B8A): Send Access-Request to 
212.119.xx.61:1812 id 1645/159, len 170
Nov  6 18:10:00.832: RADIUS:  authenticator E1 07 62 04 A8 49 B9 CE - 36 
6A A3 95 1D 61 3B 09
Nov  6 18:10:00.832: RADIUS:  Vendor, 3GPP2       [26]  16
Nov  6 18:10:00.832: RADIUS:   cdma-correlation-id[44]  10  "000A7294"
Nov  6 18:10:00.832: RADIUS:  Calling-Station-Id  [31]  17 
"250097000222612"
Nov  6 18:10:00.832: RADIUS:  Vendor, 3GPP2       [26]  12
Nov  6 18:10:00.832: RADIUS:   cdma-service-option[16]  6   59 

Nov  6 18:10:00.832: RADIUS:  Vendor, 3GPP2       [26]  12
Nov  6 18:10:00.832: RADIUS:   cdma-sess-term-capa[88]  6   1 

Nov  6 18:10:00.832: RADIUS:  Framed-Protocol     [7]   6   PPP 
               [1]
Nov  6 18:10:00.832: RADIUS:  User-Name           [1]   24 
"als at mip.some.realm.ru"
Nov  6 18:10:00.832: RADIUS:  CHAP-Password       [3]   19  *
Nov  6 18:10:00.832: RADIUS:  Service-Type        [6]   6   Framed 
               [2]
Nov  6 18:10:00.832: RADIUS:  NAS-IP-Address      [4]   6 
212.119.1xx.4
Nov  6 18:10:00.832: RADIUS:  Acct-Session-Id     [44]  18 
"D4776A04001E17E9"
Nov  6 18:10:00.832: RADIUS:  Nas-Identifier      [32]  14  "pdsn-m34-pc2"
Nov  6 18:10:00.908: <250097000222612>RADIUS: Received from id 1645/159 
212.119.xx.61:1812, Access-Accept, len 107
Nov  6 18:10:00.908: RADIUS:  authenticator 61 F3 E7 03 50 42 4A E7 - 5F 
90 25 0F 05 36 F0 64
Nov  6 18:10:00.908: RADIUS:  Vendor, 3GPP2       [26]  12
Nov  6 18:10:00.908: RADIUS:   cdma-ha-ip-addr    [7]   6 
212.119.xx.xx
Nov  6 18:10:00.908: RADIUS:  Vendor, Cisco       [26]  40
Nov  6 18:10:00.908: RADIUS:   Cisco AVpair       [1]   34 
"lcp:spi#0=spi 100 key ascii xxx"
Nov  6 18:10:00.908: RADIUS:  Vendor, Cisco       [26]  29
Nov  6 18:10:00.908: RADIUS:   Cisco AVpair       [1]   23 
"lcp:cdma-user-class=3"
Nov  6 18:10:00.908: RADIUS:  Session-Timeout     [27]  6   21001 

Nov  6 18:10:00.912: RADIUS(00134B8A): Received from id 1645/159
Nov  6 18:10:00.912: 250097000222612 PPP: Received LOGIN Response PASS
Nov  6 18:10:00.912: 250097000222612 PPP: Phase is FORWARDING, 
Attempting Forward
Nov  6 18:10:00.912: 250097000222612 CDMA-SM: Received PPP response=3 
for session 10.30.5.102-10.199.48.52-994305, state=6
Nov  6 18:10:00.912: 250097000222612 CDMA-SM:  request vaccess for 
session 10.30.5.102-10.199.48.52-994305
Nov  6 18:10:00.992: 250097000222612 CDMA-PPP: Subblock session 
10.30.5.102-10.199.48.52-994305 (0x25E970C0) to Virtual-Access459 
swidb=0x263C4120 sb=0x25E970B4
Nov  6 18:10:01.024: 250097000222612 CDMA-SM: clone 
vaccess=Virtual-Access459 subif_state=1 hwidb->state=0
Nov  6 18:10:01.024: 250097000222612 CDMA-SM: Set session state=8 for 
session 10.30.5.102-10.199.48.52-994305
Nov  6 18:10:01.028: 250097000222612 CDMA-SM: Received PPP response=2 
for session 10.30.5.102-10.199.48.52-994305, state=8
Nov  6 18:10:01.028: 250097000222612 Debug: Condition 1, calling 
250097000222612 triggered, count 1
Nov  6 18:10:01.028: 250097000222612 CDMA-SM: state=8, event=1 for 
session 10.30.5.102-10.199.48.52-994305
Nov  6 18:10:01.028: 250097000222612 CDMA-SM: Vaccess Virtual-Access459 
UP for session 0x25E970C0
Nov  6 18:10:03.416: 250097000222612 CHAP: I RESPONSE id 1 len 43 from 
"als at mip.some.realm.ru"
Nov  6 18:10:03.416: 250097000222612 CHAP: Ignoring Additional Response
Nov  6 18:10:06.432: 250097000222612 CHAP: I RESPONSE id 1 len 43 from 
"als at mip.some.realm.ru"
Nov  6 18:10:06.432: 250097000222612 CHAP: Ignoring Additional Response
Nov  6 18:10:09.420: 250097000222612 CHAP: I RESPONSE id 1 len 43 from 
"als at mip.some.realm.ru"
Nov  6 18:10:09.420: 250097000222612 CHAP: Ignoring Additional Response
Nov  6 18:10:12.404: 250097000222612 CHAP: I RESPONSE id 1 len 43 from 
"als at mip.some.realm.ru"
Nov  6 18:10:12.404: 250097000222612 CHAP: Ignoring Additional Response
Nov  6 18:10:13.036: 250097000222612 CDMA-RP: ipmobile_visitor 
add/delete=0, mn=0.0.0.0, ha=212.119.xx.xx
Nov  6 18:10:13.036: 250097000222612 CDMA-RP: ipmobile_visitor_delete, 
but not exist mn=0.0.0.0, ha=212.119.xx.xx
Nov  6 18:10:13.036: 250097000222612 CDMA-RP: Not able to add 
ProxyMobile User ha=212.119.xx.xx
Nov  6 18:10:13.036: 250097000222612 PPP: Sending Acct Event[Down] 
id[134B8A]
Nov  6 18:10:13.036: 250097000222612 PPP: Phase is TERMINATING
Nov  6 18:10:13.036: 250097000222612 LCP: O TERMREQ [Open] id 2 len 4


--
Alexander

From sasabir at gmail.com  Wed Dec 17 01:57:49 2008
From: sasabir at gmail.com (Sumon Ahmed Sabir)
Date: Wed, 17 Dec 2008 12:57:49 +0600
Subject: [c-nsp] Detect Upstream ISP's BGP problems.
In-Reply-To: <A8A11BA006DA57498FAC0A5668686504299D57E4@usilwdex04.spencerstuart.com>
References: <20081212164133.GA13286@mx.ytti.net>
	<A8A11BA006DA57498FAC0A5668686504299D57E4@usilwdex04.spencerstuart.com>
Message-ID: <244185a00812162257k2860804cp8036cdd77a620d44@mail.gmail.com>

Another solution to that is ask your ISPs to get default routes from their
upstreams
and pass it to you and not to use default-originate. So if any ISP lost its
links with
its upstreams your default route will be automatically disappeared.

-sumon

On Fri, Dec 12, 2008 at 11:02 PM, <tkacprzynski at spencerstuart.com> wrote:

> That sounds like a good idea. Thank you very much.
>
> What do you think of using conditional advertisement based on their
> Route Reflector to advertise a default route? (I think the biggest
> problem is that most ISPs might not want to do that correct?)
>
> Thank you again.
>
>
> Tom
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti
> Sent: Friday, December 12, 2008 10:42 AM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Detect Upstream ISP's BGP problems.
>
> On (2008-12-12 09:57 -0600), tkacprzynski at spencerstuart.com wrote:
>
> > I know I could ask the ISPs to provide me a core route and use
> > conditional advertisement, which would work well for traffic coming
> > inbound, but what about outbound? How can I make the default route
> > disappear from an ISP that is having internal problems.
>
> Don't get default, get PA aggregate. And point static route to that PA
> aggregate and the interface. If ISPs peering router is separated from
> ISPs core, the PA aggregate disappears and static default will be
> invalid, allowing you to converge to another path.
>
> For more advanced stuff, you might want to look at 'PfR'
> from cisco.
>
> --
>  ++ytti
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From erik at infopact.nl  Wed Dec 17 03:21:39 2008
From: erik at infopact.nl (E. Versaevel)
Date: Wed, 17 Dec 2008 09:21:39 +0100
Subject: [c-nsp] Cisco 7206 - High CPU Utilization
In-Reply-To: <0BE527EE61205F409B0EDB4F6544552E01BE20D4@stewie.ceiva.local>
References: <0BE527EE61205F409B0EDB4F6544552E01BE20D4@stewie.ceiva.local>
Message-ID: <4948B693.6000908@infopact.nl>


Hi Spencer,

All encryption is done in software on the CPU (no dedicated encryption hardware) unless you have a special module for that.
You config isn't exactly minimal (ie, gathering flow statistics & NAT also eats CPU), also notice that you are referring to 5 minute averages on the
bandwidth, try setting load-interval 30 on the fast Ethernet interface to gather some more realistic values.

I've managed to get a 7206 VXR on it's knees while doing ip fragmemtation on a 6 mbit tunnel :) so take a look at `show ip traffic`

You are talking about disabling the VPN connection, are you only routing traffic at that point or are you still using some form of tunneling? (gre/ipip)

Kind regards,

Erik


Spencer Barnes schreef:
> Greetings,
> 
>  
> 
> I have a Cisco 7206 (non-VXR) with an NPE-225.  It has a PA-T3 card with
> a DS3 plugged in serving as our WAN port and a PA-FE-TX linking to
> another router that serves as our core router.  The T3/Serial interface
> has a VPN endpoint configured and it is connected to a remote site that
> we use for off-site backups.  
> 
>  
> 
> The CPU utilization goes through the roof (90 and up) when I upload
> files from our network to the remote network.  I do not see this problem
> when I am downloading to our network.  I put a throttle in place on the
> remote side limiting the connection to 6 Mb/s and that helped (before
> the throttle it would stick at 99% when copying).  The majority of the
> CPU usage is in IP input and encrypt proc.  If I take the VPN out of the
> picture, CPU utilization is in the 40-50% ballpark which still seems
> high to me and obviously the VPN is having a dramatic effect on CPU
> usage.  The average amount of bandwidth used and the packets per second
> rate are both low (less than 10 Mb/s and around 1000-1500 pps) for the
> interfaces.  
> 
>  
> 
> Should this model of router be capable of handling a heavily used VPN
> tunnel running at about 6 Mb/s?  
> 
> If I eliminate the VPN, shouldn't this model of router be able to handle
> at least 25% of a T3's capacity? 
> 
> If the answer to either questions is no, what is the lowest end Cisco
> router you would recommend?
> 
>  
> 
> Random notes:
> 
>  
> 
> Very minimal config.  IP CEF is globally enabled.  Turbo ACLs are
> enabled.   Steady amount of flushes incrementing on PA-FE-TX (FA2/0)
> interface but not T3.  
> 
>  
> 
> interface Serial1/0
> 
>  description [WAN]
> 
>  mtu 1500
> 
>  ip address xxx 255.255.255.252
> 
>  ip access-group 100 in
> 
>  ip access-group 103 out
> 
>  ip flow ingress
> 
>  ip nat outside
> 
>  no ip virtual-reassembly
> 
>  ip route-cache policy
> 
>  ip route-cache flow
> 
>  ipv6 enable
> 
>  dsu bandwidth 44210
> 
>  framing c-bit
> 
>  cablelength 50
> 
>  serial restart-delay 0
> 
>  no cdp enable
> 
>  crypto map myvpn
> 
>  hold-queue 1500 in
> 
> !
> 
> interface FastEthernet2/0
> 
>  description [Uplink] Connected to Core FA1/0
> 
>  ip address 10.1.1.1 255.255.255.0
> 
>  ip flow ingress
> 
>  ip nat inside
> 
>  no ip virtual-reassembly
> 
>  ip route-cache policy
> 
>  ip route-cache flow
> 
>  duplex full
> 
>  ipv6 address xxx
> 
>  ipv6 enable
> 
>  hold-queue 1500 in
> 
>  
> 
> FastEthernet2/0 is up, line protocol is up 
> 
>   MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, 
> 
>      reliability 255/255, txload 7/255, rxload 16/255
> 
>   Full-duplex, 100Mb/s, 100BaseTX/FX
> 
>   Last clearing of "show interface" counters 02:06:23
> 
>   Input queue: 5/1500/0/8034 (size/max/drops/flushes); Total output
> drops: 0
> 
>   Queueing strategy: fifo
> 
>   Output queue: 0/40 (size/max)
> 
>   5 minute input rate 6561000 bits/sec, 772 packets/sec
> 
>   5 minute output rate 3026000 bits/sec, 658 packets/sec
> 
>      6397481 packets input, 6506974856 bytes
> 
>      Received 171 broadcasts, 0 runts, 0 giants, 0 throttles
> 
>      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
> 
>      0 watchdog
> 
>      0 input packets with dribble condition detected
> 
>      5532333 packets output, 3232118493 bytes, 0 underruns
> 
>      0 output errors, 0 collisions, 0 interface resets
> 
>      0 unknown protocol drops
> 
>      0 babbles, 0 late collision, 0 deferred
> 
>      0 lost carrier, 0 no carrier
> 
>      0 output buffer failures, 0 output buffers swapped out
> 
>  
> 
>  
> 
>  
> 
> Thank you in advance!
> 
>  
> 
> Spencer
> 
>  
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



Erik Versaevel

From oboehmer at cisco.com  Wed Dec 17 07:13:21 2008
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Wed, 17 Dec 2008 13:13:21 +0100
Subject: [c-nsp] bgp multipath-relax + dmzlink
In-Reply-To: <20081217000405.GA97614@elvis.mu.org>
References: <20081217000405.GA97614@elvis.mu.org>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED784069444BC@xmb-ams-333.emea.cisco.com>

bill fumerola <> wrote on Wednesday, December 17, 2008 01:04:

> config:
>  bgp bestpath as-path multipath-relax
>  bgp dmzlink-bw
> 
>   neighbor aa.bb.cc.73 dmzlink-bw
>   neighbor xxx.yyy.zzz.77 dmzlink-bw
> 
> interface bandwidth settings:
> 
> rtr1#show ip route aa.bb.cc.73 | i direct
>   * directly connected, via GigabitEthernet0/0.5
> rtr1#show int gi0/0.5 | i BW
>   MTU 1500 bytes, BW 9000 Kbit, DLY 10 usec,
> rtr1#show ip route xxx.yyy.zzz.77 | i direc
>   * directly connected, via GigabitEthernet0/0.3
> rtr1#show int gi0/0.3 | i BW
>   MTU 1500 bytes, BW 55000 Kbit, DLY 10 usec,
> rtr1#
> 
> bgp shows the proper DMZ-link BW:
> 
> rtr1#show ip bgp 4.23.94.0
> [...]
>   2914 7018 46164
>     xxx.yyy.zzz.77 from xxx.yyy.zzz.77 (129.250.0.19)
>       Origin IGP, metric 0, localpref 100, weight 10000, valid,
>       external, multipath Community: 2914:420 2914:2000 2914:3000
>       36692:10210 no-export DMZ-Link Bw 6875 kbytes
>   701 7018 46164
>     aa.bb.cc.73 from aa.bb.cc.73 (137.39.2.70)
>       Origin IGP, metric 0, localpref 100, weight 10000, valid,
>       external, multipath, best Community: 36692:10210 no-export
>       DMZ-Link Bw 1125 kbytes
> 
> here's the problem:
> 
> rtr1#show ip route 4.23.94.0
> Routing entry for 4.23.94.0/23
>   Known via "bgp 36692", distance 20, metric 0
>   Tag 701, type external
>   Last update from aa.bb.cc.73 00:24:40 ago
>   Routing Descriptor Blocks:
>   * xxx.yyy.zzz.77, from xxx.yyy.zzz.77, 00:24:40 ago
>       Route metric is 0, traffic share count is 1
>       AS Hops 3
>       Route tag 701
>     aa.bb.cc.73, from aa.bb.cc.73, 00:24:40 ago
>       Route metric is 0, traffic share count is 10
>       AS Hops 3
>       Route tag 701
> 
> the traffic share count is the inverse of what it should be (1:10 when
> it should be 7:1).

looks like a bug, there have been a few, but not sure which one without
looking into this further. I don't think it's related to "bgp bestpath
as-path multipath-relax" in any way, rather a bug in how BGP calculates
the share count it passes to RIB..

Maybe CSCsg31316 (Changes in dmzlink-bw do not reflect in the routing
table) or CSCsg31406 (don't think so)..

	oli

From techconfig at yahoo.com  Wed Dec 17 07:16:51 2008
From: techconfig at yahoo.com (Mark Tech)
Date: Wed, 17 Dec 2008 04:16:51 -0800 (PST)
Subject: [c-nsp] 7600 IP Precedence map not working
Message-ID: <559917.81621.qm@web44813.mail.sp1.yahoo.com>

Hi
I am testing an NNI connection between a 7600 and a 7200 - test environment at the moment

I have a scenario where a provider network allocates IPP 7 for voice, whereas we allocate IPP5

I devised a simple service policy to swap IPP in and out, i.e.

policy-map NNI-VOICE-IN
? class NNI-VOICE-IN
?? set precedence 5

class-map match-any NNI-VOICE-IN
? match? precedence 7
----------------------------------------------
policy-map NNI-VOICE-OUT
? class NNI-VOICE-OUT
?? set precedence 7

class-map match-any NNI-VOICE-OUT
? match? precedence 5

---------------------------------------------
interface GigabitEthernet3/12.20
?encapsulation dot1Q 20
?ip vrf forwarding TEST2
?ip address?10.1.1.1 255.255.255.252
?no cdp enable
?service-policy input NNI-VOICE-IN
?service-policy output NNI-VOICE-OUT


On my CE routers I can check that the correct IPP is being received (1 CE per network)

The problem is that it seems to be working only 1 way. If I make a call from my network to the carrier network, IPP is 5 at my CE and 7 at the remote CE which is what I want. However if I call from the remote network to my network, IPP is 7 from remote (fine) however it is still entering my local CE as 7 (not good)

I removed the policy from the 7600?and installed it on the 7200 (changing the match and set around) and it works perfectly, 5-7, 7-5.

On the 7600, I am connecting to the 7200 with WS-X6748-GE-TX? port (LAN card) My guess is that inbound policy map on the 7600 is not being acted up, wheres the outbound is, in order to get the initial results of 1 way IPP swapping.

Anyone got any ideas?

Regards

Mark


      


From amsoares at netcabo.pt  Wed Dec 17 07:31:03 2008
From: amsoares at netcabo.pt (Antonio Soares)
Date: Wed, 17 Dec 2008 12:31:03 -0000
Subject: [c-nsp] 32 bit ASN
Message-ID: <276E86096AB64D8C988E3AAA77CE4484@int.convex.pt>

Hello group,

Anybody knows if the 32-bit ASN feature is already available on Cisco IOS ? I didn't find this feature on Feature Navigator. It's
quite strange the fact no information seems to be available. RIPE will start assigning 32-bit ASN's in 1/1/2009.


Thanks.

Regards,

Antonio Soares, CCIE #18473 (R&S)
amsoares at netcabo.pt


From braaen at zcorum.com  Wed Dec 17 07:42:58 2008
From: braaen at zcorum.com (Brian Raaen)
Date: Wed, 17 Dec 2008 07:42:58 -0500
Subject: [c-nsp] 32 bit ASN
In-Reply-To: <276E86096AB64D8C988E3AAA77CE4484@int.convex.pt>
References: <276E86096AB64D8C988E3AAA77CE4484@int.convex.pt>
Message-ID: <200812170742.58324.braaen@zcorum.com>

I recently brought up the same question on NANOG.  Here is the thread 

http://mailman.nanog.org/pipermail/nanog/2008-August/003347.html

As far as I can tell Cisco is really dragging their feet on this one, unless 
you are buying one of their Super-Deluxe model devices that runs on a 
different IOS.


----------------------

Brian Raaen
Network Engineer
braaen at zcorum.com


On Wednesday 17 December 2008, Antonio Soares wrote:
> Hello group,
> 
> Anybody knows if the 32-bit ASN feature is already available on Cisco IOS ? 
I didn't find this feature on Feature Navigator. It's
> quite strange the fact no information seems to be available. RIPE will start 
assigning 32-bit ASN's in 1/1/2009.
> 
> 
> Thanks.
> 
> Regards,
> 
> Antonio Soares, CCIE #18473 (R&S)
> amsoares at netcabo.pt
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 



From David.Lima at alphasys.com.bo  Wed Dec 17 07:59:29 2008
From: David.Lima at alphasys.com.bo (David Lima)
Date: Wed, 17 Dec 2008 08:59:29 -0400
Subject: [c-nsp] Cat6500 sup2 boot from PCMCIA
In-Reply-To: <04b401c95f4a$016f9bc0$044ed340$@net>
Message-ID: <EB9C8DD013C59D47BEEEC1A1DD7AC951858ED238B3@exlpz.alphasys.bo>

Thanks a lo Howard, just the last question, On my sup2 I have a sup-bootflash (bootflash in rommon mode) of 32MB and in this sup-bootflash is the corrupted IOS.
Befote to buy a PCMCIA i was trying to recover and load a new IOS (20MB) from xmodem but always it stop to transmit. I don't know if this kind of recovery is posible for a supervisor2.

Thanks again for your advices.

David

-----Mensaje original-----
De: Howard Leadmon [mailto:howard at leadmon.net]
Enviado el: Martes, 16 de Diciembre de 2008 01:46 a.m.
Para: David Lima; cisco-nsp at puck.nether.net
Asunto: RE: [c-nsp] Cat6500 sup2 boot from PCMCIA


  Had the same issue here with a couple 6500/SUP2's, and the Flash Card's
were working, but after a format got flakey.  The only real end solution we
found that worked was to take and replace them with a different flash card,
till we got one it was happy with.  Actually went though a couple cards,
till we found one that all the SUP2's seemed to accept, and after that life
was good..


---
Howard Leadmon


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of David Lima
> Sent: Friday, December 12, 2008 10:41 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cat6500 sup2 boot from PCMCIA
>
> Hi all, I have a Cat6500 x6k-sup2-2ge running an IOS software.
>
> My problem is that I'm stuck in rommon mode after the IOS upgrade. Now
> I have A PCMCIA and I want to boot the new IOS from the PCMCIA.
>
> I cannot format the PCMCIA from the rommon mode.
>
> How can I format the PCMCIA? The only way is format from the target
> Catatalyst switch?
>
> All these because I have an error about invalid magic number when I
> insert the PCMCIA card into the Supervisor2 slot in rommon mode.
>
> Please I need your help,
>
> Thanks in advance.
>
> David
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/




__________ Information from ESET NOD32 Antivirus, version of virus signature database 3693 (20081215) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



__________ Information from ESET NOD32 Antivirus, version of virus signature database 3693 (20081215) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



From david.freedman at uk.clara.net  Wed Dec 17 08:39:00 2008
From: david.freedman at uk.clara.net (David Freedman)
Date: Wed, 17 Dec 2008 13:39:00 +0000
Subject: [c-nsp] Any EEM/TCL gurus about?
Message-ID: <giavdk$c8f$1@ger.gmane.org>

Has anybody managed to get the http package working?

I want to do an HTTP POST, for some reason I can't load the http.tcl
package inside system:lib/tcl (is this something to do with the safe
execution mode?)

I've tried

require package http
require package http 2.4.7
require package ioshttp (trying the builtin)

no success,

has anybody done this before?


Dave.


From jp at softnet.si  Wed Dec 17 10:00:56 2008
From: jp at softnet.si (Primoz Jeroncic)
Date: Wed, 17 Dec 2008 16:00:56 +0100 (CET)
Subject: [c-nsp] Rate limiting but on packet count not bandwidth
Message-ID: <Pine.GSO.4.44.0812171557420.19242-100000@jessie>

Hi guys

Does anyone have any idea if rate limiting traffic based on packet
count would be possible on Cat3550/3560/3570 or any Cisco router?
I would need to limit some users which don't generate much of
traffic (only about 5 or 6Mbps), but packet count is huge (30k+ per sec).

So is there some option to limit their fraffic to let's say 5000packets/sec
regardless on bandwidth they use?

Thanks for help.

Have fun,
Primoz Jeroncic
Support - IP Connectivity & Routing
-------------------------------------------------------------------
Softnet d.o.o.  tel:  +386 1 562 31 40   |
Borovec 2       fax:  +386 1 562 18 55   |       1 + 1 = 3
1236 Trzin      primoz(at)softnet.si     | for larger values of 1
Slovenija       http://flea.softnet.si/
-------------------------------------------------------------------


From luan at netcraftsmen.net  Wed Dec 17 10:34:13 2008
From: luan at netcraftsmen.net (Luan Nguyen)
Date: Wed, 17 Dec 2008 10:34:13 -0500
Subject: [c-nsp] 32 bit ASN
In-Reply-To: <276E86096AB64D8C988E3AAA77CE4484@int.convex.pt>
References: <276E86096AB64D8C988E3AAA77CE4484@int.convex.pt>
Message-ID: <01e701c9605c$e9e8b6d0$bdba2470$@net>

Here's an old post on this topic:
http://puck.nether.net/pipermail/cisco-nsp/2008-August/053334.html
Also, I heard it's going to be implemented beginning 12.5T

Regards,

Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Antonio Soares
Sent: Wednesday, December 17, 2008 7:31 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] 32 bit ASN

Hello group,

Anybody knows if the 32-bit ASN feature is already available on Cisco IOS ?
I didn't find this feature on Feature Navigator. It's
quite strange the fact no information seems to be available. RIPE will start
assigning 32-bit ASN's in 1/1/2009.


Thanks.

Regards,

Antonio Soares, CCIE #18473 (R&S)
amsoares at netcabo.pt

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From luan at netcraftsmen.net  Wed Dec 17 10:39:05 2008
From: luan at netcraftsmen.net (Luan Nguyen)
Date: Wed, 17 Dec 2008 10:39:05 -0500
Subject: [c-nsp] Rate limiting but on packet count not bandwidth
In-Reply-To: <Pine.GSO.4.44.0812171557420.19242-100000@jessie>
References: <Pine.GSO.4.44.0812171557420.19242-100000@jessie>
Message-ID: <01ee01c9605d$9802b8b0$c8082a10$@net>

Maybe give storm-control with pps keyword a try.
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/1
2.2_25_see/configuration/guide/swtrafc.html#wp1241484

Regards,

Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Primoz Jeroncic
Sent: Wednesday, December 17, 2008 10:01 AM
To: Cisco Mailing list
Subject: [c-nsp] Rate limiting but on packet count not bandwidth

Hi guys

Does anyone have any idea if rate limiting traffic based on packet
count would be possible on Cat3550/3560/3570 or any Cisco router?
I would need to limit some users which don't generate much of
traffic (only about 5 or 6Mbps), but packet count is huge (30k+ per sec).

So is there some option to limit their fraffic to let's say 5000packets/sec
regardless on bandwidth they use?

Thanks for help.

Have fun,
Primoz Jeroncic
Support - IP Connectivity & Routing
-------------------------------------------------------------------
Softnet d.o.o.  tel:  +386 1 562 31 40   |
Borovec 2       fax:  +386 1 562 18 55   |       1 + 1 = 3
1236 Trzin      primoz(at)softnet.si     | for larger values of 1
Slovenija       http://flea.softnet.si/
-------------------------------------------------------------------

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From tdurack at gmail.com  Wed Dec 17 10:54:09 2008
From: tdurack at gmail.com (Tim Durack)
Date: Wed, 17 Dec 2008 10:54:09 -0500
Subject: [c-nsp] MPLS-VPN migration
Message-ID: <9e246b4d0812170754y464d5aabmcda35c45948b3c65@mail.gmail.com>

Looking for some "creative" ideas on how best to accomplish this:

We are migrating a traditional enterprise-style IP network to an
MPLS-VPN network. All the infrastructure MPLS/IGP/MP-BGP work is
essentially done (it's a purely PE-PE network, no P routers anywhere.)

All "customer" networks are still in the global table. I need to
migrate them into VPN groups, but maintain full reachability between
global and VRFs during the migration. Route-leaking will be configured
between VRFs, and at a later stage some kind of firewall will be
employed between VPNs. The hard part is getting everything into the
VPNs first (without anyone noticing too much :-)

Ideally I'd like to bring up BGP sessions between the global table and
VRFs on each PE. I notice I can do BGP sessions between VRFs, but
can't quite wrap my head around global->VRF BGP. Is this even
possible?

Thanks for thinking about it.

Tim:>

From ross at kallisti.us  Wed Dec 17 11:25:11 2008
From: ross at kallisti.us (Ross Vandegrift)
Date: Wed, 17 Dec 2008 11:25:11 -0500
Subject: [c-nsp] Rate limiting but on packet count not bandwidth
In-Reply-To: <Pine.GSO.4.44.0812171557420.19242-100000@jessie>
References: <Pine.GSO.4.44.0812171557420.19242-100000@jessie>
Message-ID: <20081217162511.GA20802@kallisti.us>

On Wed, Dec 17, 2008 at 04:00:56PM +0100, Primoz Jeroncic wrote:
> Hi guys
> 
> Does anyone have any idea if rate limiting traffic based on packet
> count would be possible on Cat3550/3560/3570 or any Cisco router?
> I would need to limit some users which don't generate much of
> traffic (only about 5 or 6Mbps), but packet count is huge (30k+ per sec).
> 
> So is there some option to limit their fraffic to let's say 5000packets/sec
> regardless on bandwidth they use?

I've wanted this on Catalyst platforms for a long time, it doesn't
really exist.  On your platforms, you should be able to apply unicast
storm-control to control the number of pps on a per-physical port
basis, but you can't write a QoS policy that can be applied in
general.  Doesn't seem to be any way to do it on a VLAN.  If you
enable it on a trunk port, all VLANs will be dropped when one exceeds
the threshold - probably not what you want.

Ross

-- 
Ross Vandegrift
ross at kallisti.us

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie

From amsoares at netcabo.pt  Wed Dec 17 11:31:52 2008
From: amsoares at netcabo.pt (Antonio Soares)
Date: Wed, 17 Dec 2008 16:31:52 -0000
Subject: [c-nsp] 32 bit ASN
In-Reply-To: <200812170742.58324.braaen@zcorum.com>
References: <276E86096AB64D8C988E3AAA77CE4484@int.convex.pt>
	<200812170742.58324.braaen@zcorum.com>
Message-ID: <29E4F14B179D43D89D13BCC1B965C36A@int.convex.pt>

Thanks Brian.

IOS-XR and NX-OS seem the only OS's in the Cisco family that support this. IOS-XR since release 3.4.0 and NX-OS since 4.0(1).

By the way, i found this document written by Jeff Doyle about this subject:

http://www.networkworld.com/community/node/35767



Thanks.

Regards,

Antonio Soares, CCIE #18473 (R&S)
amsoares at netcabo.pt

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brian Raaen
Sent: quarta-feira, 17 de Dezembro de 2008 12:43
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 32 bit ASN

I recently brought up the same question on NANOG.  Here is the thread 

http://mailman.nanog.org/pipermail/nanog/2008-August/003347.html

As far as I can tell Cisco is really dragging their feet on this one, unless you are buying one of their Super-Deluxe model devices
that runs on a different IOS.


----------------------

Brian Raaen
Network Engineer
braaen at zcorum.com


On Wednesday 17 December 2008, Antonio Soares wrote:
> Hello group,
> 
> Anybody knows if the 32-bit ASN feature is already available on Cisco IOS ? 
I didn't find this feature on Feature Navigator. It's
> quite strange the fact no information seems to be available. RIPE will 
> start
assigning 32-bit ASN's in 1/1/2009.
> 
> 
> Thanks.
> 
> Regards,
> 
> Antonio Soares, CCIE #18473 (R&S)
> amsoares at netcabo.pt
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From spencer at ceiva.com  Wed Dec 17 11:53:21 2008
From: spencer at ceiva.com (Spencer Barnes)
Date: Wed, 17 Dec 2008 08:53:21 -0800
Subject: [c-nsp] Cisco 7206 - High CPU Utilization
In-Reply-To: <4948B693.6000908@infopact.nl>
References: <0BE527EE61205F409B0EDB4F6544552E01BE20D4@stewie.ceiva.local>
	<4948B693.6000908@infopact.nl>
Message-ID: <0BE527EE61205F409B0EDB4F6544552E01BE21A5@stewie.ceiva.local>

I included several replies in this that didn't make the list because I
thought the information might be helpful.

"You are talking about disabling the VPN connection, are you only
routing traffic at that point or are you still using some form of
tunneling? (gre/ipip)"

Pure routing.  I setup a server on our external network with a big file
and uploaded it to the remote network outside of the VPN, verified by a
traceroute.  

"What type of VPN is it and what type of encryption are you using?"

Here is the VPN config.

crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key xxx address xxx
crypto ipsec transform-set abc esp-des esp-md5-hmac 
crypto map myvpn 5 ipsec-isakmp 
 description === 192 to xxx ===
 set peer xxx
 set transform-set abc 
 match address 153
crypto map myvpn 6 ipsec-isakmp 
 description === 172 to xxx ===
 set peer xxx
 set transform-set abc 
 match address 154

"...is it possible that without a IPSec accelerator card that your
experiences is not unsurprising?"

That is what it is beginning to look like but the fact that IP input is
high even without the VPN is confusing to me.  Based on the CPU
utilization graphs and the correlating bandwidth graphs, I could upload
at half the T3s capacity and more than likely crash the router.

Configuration change since first post:  Removed outbound ACL on
Serial1/0.  No effect on CPU utilization.

--------------------------------------


Spencer


-----Original Message-----
From: E. Versaevel [mailto:erik at infopact.nl] 
Sent: Wednesday, December 17, 2008 12:22 AM
To: Spencer Barnes
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco 7206 - High CPU Utilization


Hi Spencer,

All encryption is done in software on the CPU (no dedicated encryption
hardware) unless you have a special module for that.
You config isn't exactly minimal (ie, gathering flow statistics & NAT
also eats CPU), also notice that you are referring to 5 minute averages
on the
bandwidth, try setting load-interval 30 on the fast Ethernet interface
to gather some more realistic values.

I've managed to get a 7206 VXR on it's knees while doing ip
fragmemtation on a 6 mbit tunnel :) so take a look at `show ip traffic`

You are talking about disabling the VPN connection, are you only routing
traffic at that point or are you still using some form of tunneling?
(gre/ipip)

Kind regards,

Erik

From skeeve at skeeve.org  Wed Dec 17 10:56:30 2008
From: skeeve at skeeve.org (Skeeve Stevens)
Date: Thu, 18 Dec 2008 02:56:30 +1100
Subject: [c-nsp] 32 bit ASN
In-Reply-To: <01e701c9605c$e9e8b6d0$bdba2470$@net>
References: <276E86096AB64D8C988E3AAA77CE4484@int.convex.pt>
	<01e701c9605c$e9e8b6d0$bdba2470$@net>
Message-ID: <02e901c96060$0932a250$1b97e6f0$@org>

Any dates announced for 12.5T?

...Skeeve

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Luan Nguyen
Sent: Thursday, 18 December 2008 2:34 AM
To: 'Antonio Soares'; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 32 bit ASN

Here's an old post on this topic:
http://puck.nether.net/pipermail/cisco-nsp/2008-August/053334.html
Also, I heard it's going to be implemented beginning 12.5T

Regards,

Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Antonio Soares
Sent: Wednesday, December 17, 2008 7:31 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] 32 bit ASN

Hello group,

Anybody knows if the 32-bit ASN feature is already available on Cisco IOS ?
I didn't find this feature on Feature Navigator. It's
quite strange the fact no information seems to be available. RIPE will start
assigning 32-bit ASN's in 1/1/2009.


Thanks.

Regards,

Antonio Soares, CCIE #18473 (R&S)
amsoares at netcabo.pt

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From luan at netcraftsmen.net  Wed Dec 17 12:25:48 2008
From: luan at netcraftsmen.net (Luan Nguyen)
Date: Wed, 17 Dec 2008 12:25:48 -0500
Subject: [c-nsp] MPLS-VPN migration
In-Reply-To: <9e246b4d0812170754y464d5aabmcda35c45948b3c65@mail.gmail.com>
References: <9e246b4d0812170754y464d5aabmcda35c45948b3c65@mail.gmail.com>
Message-ID: <021c01c9606c$80de5a40$829b0ec0$@net>

Let me try thinking out loud :)
There BGP support for IP prefix import into VRF table:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_bgivt.htm
l
You could use static routes as well.
For dynamic, some people create two tunnels, same router, same subnet,
sourced from different loopbacks.  With one tunnel interface in the vrf, one
in the global routing table


ip vrf CUSTOMER1
rd 
route-target export 
route-target import 
!
interface Tunnel100
description VRF_CUSTOMER1_BRIDGE_TO_GLOBAL_ROUTING_TABLE
bandwidth 50000
ip vrf forwarding CUSTOMER1
ip address 172.31.254.254 255.255.255.252  
load-interval 30  
tunnel source x.x.x.x
tunnel destination y.y.y.y
!
interface Tunnel200
description GLOBAL_ROUTING_TABLE_BRIDGE_TO_VRF_CUSTOMER1
bandwidth 50000
ip address 172.31.254.253 255.255.255.252  
ip virtual-reassembly  
load-interval 30  
tunnel source y.y.y.y
tunnel destination x.x.x.x

If you have a lot of customers (a lot of VRFs), then maybe try DMVPN
configuration with the global being the hub and each spokes in their own
unique VRF...just a thought :)

Regards,

Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tim Durack
Sent: Wednesday, December 17, 2008 10:54 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] MPLS-VPN migration

Looking for some "creative" ideas on how best to accomplish this:

We are migrating a traditional enterprise-style IP network to an
MPLS-VPN network. All the infrastructure MPLS/IGP/MP-BGP work is
essentially done (it's a purely PE-PE network, no P routers anywhere.)

All "customer" networks are still in the global table. I need to
migrate them into VPN groups, but maintain full reachability between
global and VRFs during the migration. Route-leaking will be configured
between VRFs, and at a later stage some kind of firewall will be
employed between VPNs. The hard part is getting everything into the
VPNs first (without anyone noticing too much :-)

Ideally I'd like to bring up BGP sessions between the global table and
VRFs on each PE. I notice I can do BGP sessions between VRFs, but
can't quite wrap my head around global->VRF BGP. Is this even
possible?

Thanks for thinking about it.

Tim:>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From lukasz at bromirski.net  Wed Dec 17 12:32:32 2008
From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=)
Date: Wed, 17 Dec 2008 18:32:32 +0100
Subject: [c-nsp] 32 bit ASN
In-Reply-To: <02e901c96060$0932a250$1b97e6f0$@org>
References: <276E86096AB64D8C988E3AAA77CE4484@int.convex.pt>	<01e701c9605c$e9e8b6d0$bdba2470$@net>
	<02e901c96060$0932a250$1b97e6f0$@org>
Message-ID: <494937B0.7060807@bromirski.net>

On 2008-12-17 16:56, Skeeve Stevens wrote:
> Any dates announced for 12.5T?

The 4-byte ASNs will still hit in the 12.4T line. 12.5T will be
created after 12.5M, which still is somewhere in the future.

-- 
"Don't expect me to cry for all the     |               ?ukasz Bromirski
  reasons you had to die" -- Kurt Cobain |    http://lukasz.bromirski.net

From cchurc05 at harris.com  Wed Dec 17 12:35:50 2008
From: cchurc05 at harris.com (Church, Charles)
Date: Wed, 17 Dec 2008 11:35:50 -0600
Subject: [c-nsp] Cisco 7206 - High CPU Utilization
In-Reply-To: <0BE527EE61205F409B0EDB4F6544552E01BE21A5@stewie.ceiva.local>
References: <0BE527EE61205F409B0EDB4F6544552E01BE20D4@stewie.ceiva.local><4948B693.6000908@infopact.nl>
	<0BE527EE61205F409B0EDB4F6544552E01BE21A5@stewie.ceiva.local>
Message-ID: <FA1BA229357DB640B944218F3585FECA01BF9A01@mspe2k1.cs.myharris.net>

Try removing the ACLs and NetFlow one at a time, see if any of those
help.  The NAT you probably can't get rid of I'm guessing.  Is this an
older IOS version?  Older ones couldn't do NAT in the CEF path, from
what I remember.  An upgrade might help.  Although newer ones might
complain about the NPE-225 in there.  If you really need VPN, a 2851 or
3825 would do this with ease.

Chuck 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Spencer Barnes
Sent: Wednesday, December 17, 2008 11:53 AM
To: E. Versaevel
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco 7206 - High CPU Utilization


I included several replies in this that didn't make the list because I
thought the information might be helpful.

"You are talking about disabling the VPN connection, are you only
routing traffic at that point or are you still using some form of
tunneling? (gre/ipip)"

Pure routing.  I setup a server on our external network with a big file
and uploaded it to the remote network outside of the VPN, verified by a
traceroute.  

"What type of VPN is it and what type of encryption are you using?"

Here is the VPN config.

crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key xxx address xxx
crypto ipsec transform-set abc esp-des esp-md5-hmac 
crypto map myvpn 5 ipsec-isakmp 
 description === 192 to xxx ===
 set peer xxx
 set transform-set abc 
 match address 153
crypto map myvpn 6 ipsec-isakmp 
 description === 172 to xxx ===
 set peer xxx
 set transform-set abc 
 match address 154

"...is it possible that without a IPSec accelerator card that your
experiences is not unsurprising?"

That is what it is beginning to look like but the fact that IP input is
high even without the VPN is confusing to me.  Based on the CPU
utilization graphs and the correlating bandwidth graphs, I could upload
at half the T3s capacity and more than likely crash the router.

Configuration change since first post:  Removed outbound ACL on
Serial1/0.  No effect on CPU utilization.

--------------------------------------


Spencer


-----Original Message-----
From: E. Versaevel [mailto:erik at infopact.nl] 
Sent: Wednesday, December 17, 2008 12:22 AM
To: Spencer Barnes
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco 7206 - High CPU Utilization


Hi Spencer,

All encryption is done in software on the CPU (no dedicated encryption
hardware) unless you have a special module for that.
You config isn't exactly minimal (ie, gathering flow statistics & NAT
also eats CPU), also notice that you are referring to 5 minute averages
on the
bandwidth, try setting load-interval 30 on the fast Ethernet interface
to gather some more realistic values.

I've managed to get a 7206 VXR on it's knees while doing ip
fragmemtation on a 6 mbit tunnel :) so take a look at `show ip traffic`

You are talking about disabling the VPN connection, are you only routing
traffic at that point or are you still using some form of tunneling?
(gre/ipip)

Kind regards,

Erik
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From cchurc05 at harris.com  Wed Dec 17 12:37:03 2008
From: cchurc05 at harris.com (Church, Charles)
Date: Wed, 17 Dec 2008 11:37:03 -0600
Subject: [c-nsp] 32 bit ASN
In-Reply-To: <02e901c96060$0932a250$1b97e6f0$@org>
References: <276E86096AB64D8C988E3AAA77CE4484@int.convex.pt><01e701c9605c$e9e8b6d0$bdba2470$@net>
	<02e901c96060$0932a250$1b97e6f0$@org>
Message-ID: <FA1BA229357DB640B944218F3585FECA01BF9A02@mspe2k1.cs.myharris.net>

Isn't it about time for a 13.0?  Or is Cisco superstitious?   :) 

Chuck 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Skeeve Stevens
Sent: Wednesday, December 17, 2008 10:57 AM
To: 'Luan Nguyen'; 'Antonio Soares'; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 32 bit ASN


Any dates announced for 12.5T?

...Skeeve

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Luan Nguyen
Sent: Thursday, 18 December 2008 2:34 AM
To: 'Antonio Soares'; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 32 bit ASN

Here's an old post on this topic:
http://puck.nether.net/pipermail/cisco-nsp/2008-August/053334.html
Also, I heard it's going to be implemented beginning 12.5T

Regards,

Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Antonio Soares
Sent: Wednesday, December 17, 2008 7:31 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] 32 bit ASN

Hello group,

Anybody knows if the 32-bit ASN feature is already available on Cisco
IOS ?
I didn't find this feature on Feature Navigator. It's
quite strange the fact no information seems to be available. RIPE will
start
assigning 32-bit ASN's in 1/1/2009.


Thanks.

Regards,

Antonio Soares, CCIE #18473 (R&S)
amsoares at netcabo.pt

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From spencer at ceiva.com  Wed Dec 17 12:46:58 2008
From: spencer at ceiva.com (Spencer Barnes)
Date: Wed, 17 Dec 2008 09:46:58 -0800
Subject: [c-nsp] Cisco 7206 - High CPU Utilization
In-Reply-To: <FA1BA229357DB640B944218F3585FECA01BF9A01@mspe2k1.cs.myharris.net>
References: <0BE527EE61205F409B0EDB4F6544552E01BE20D4@stewie.ceiva.local><4948B693.6000908@infopact.nl>
	<0BE527EE61205F409B0EDB4F6544552E01BE21A5@stewie.ceiva.local>
	<FA1BA229357DB640B944218F3585FECA01BF9A01@mspe2k1.cs.myharris.net>
Message-ID: <0BE527EE61205F409B0EDB4F6544552E01BE21C6@stewie.ceiva.local>

I removed all ACLs and Netflow but that did not have an effect.  I think
I can move NAT to the core router for testing purposes, I'll try and do
that tomorrow morning.  IOS version is (C7200-JK9O3S-M), Version
12.4(21).  

Spencer


-----Original Message-----
From: Church, Charles [mailto:cchurc05 at harris.com] 
Sent: Wednesday, December 17, 2008 9:36 AM
To: Spencer Barnes
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Cisco 7206 - High CPU Utilization

Try removing the ACLs and NetFlow one at a time, see if any of those
help.  The NAT you probably can't get rid of I'm guessing.  Is this an
older IOS version?  Older ones couldn't do NAT in the CEF path, from
what I remember.  An upgrade might help.  Although newer ones might
complain about the NPE-225 in there.  If you really need VPN, a 2851 or
3825 would do this with ease.

Chuck 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Spencer Barnes
Sent: Wednesday, December 17, 2008 11:53 AM
To: E. Versaevel
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco 7206 - High CPU Utilization


I included several replies in this that didn't make the list because I
thought the information might be helpful.

"You are talking about disabling the VPN connection, are you only
routing traffic at that point or are you still using some form of
tunneling? (gre/ipip)"

Pure routing.  I setup a server on our external network with a big file
and uploaded it to the remote network outside of the VPN, verified by a
traceroute.  

"What type of VPN is it and what type of encryption are you using?"

Here is the VPN config.

crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key xxx address xxx
crypto ipsec transform-set abc esp-des esp-md5-hmac 
crypto map myvpn 5 ipsec-isakmp 
 description === 192 to xxx ===
 set peer xxx
 set transform-set abc 
 match address 153
crypto map myvpn 6 ipsec-isakmp 
 description === 172 to xxx ===
 set peer xxx
 set transform-set abc 
 match address 154

"...is it possible that without a IPSec accelerator card that your
experiences is not unsurprising?"

That is what it is beginning to look like but the fact that IP input is
high even without the VPN is confusing to me.  Based on the CPU
utilization graphs and the correlating bandwidth graphs, I could upload
at half the T3s capacity and more than likely crash the router.

Configuration change since first post:  Removed outbound ACL on
Serial1/0.  No effect on CPU utilization.

--------------------------------------


Spencer


-----Original Message-----
From: E. Versaevel [mailto:erik at infopact.nl] 
Sent: Wednesday, December 17, 2008 12:22 AM
To: Spencer Barnes
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco 7206 - High CPU Utilization


Hi Spencer,

All encryption is done in software on the CPU (no dedicated encryption
hardware) unless you have a special module for that.
You config isn't exactly minimal (ie, gathering flow statistics & NAT
also eats CPU), also notice that you are referring to 5 minute averages
on the
bandwidth, try setting load-interval 30 on the fast Ethernet interface
to gather some more realistic values.

I've managed to get a 7206 VXR on it's knees while doing ip
fragmemtation on a 6 mbit tunnel :) so take a look at `show ip traffic`

You are talking about disabling the VPN connection, are you only routing
traffic at that point or are you still using some form of tunneling?
(gre/ipip)

Kind regards,

Erik
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From Moens at carrier2carrier.com  Wed Dec 17 12:46:00 2008
From: Moens at carrier2carrier.com (Martin Moens)
Date: Wed, 17 Dec 2008 18:46:00 +0100
Subject: [c-nsp] 32 bit ASN
In-Reply-To: <29E4F14B179D43D89D13BCC1B965C36A@int.convex.pt>
References: <276E86096AB64D8C988E3AAA77CE4484@int.convex.pt><200812170742.58324.braaen@zcorum.com>
	<29E4F14B179D43D89D13BCC1B965C36A@int.convex.pt>
Message-ID: <42F0C766A9A8DB47B5E86CA64738DC8B01905D90@bilbo.bdhz.c2c.local>

My Cisco SE told me lat week 32b ASN will be supported in:
12.2(33)SRE for 7600 and 7200,  due Q3 2009 :-(
12.4(24)T for ISR 28xx/38xx and 7200,  due april 2009

Martin


cisco-nsp-bounces at puck.nether.net <> wrote on 17/12/2008 17:32:

> Thanks Brian.
> 
> IOS-XR and NX-OS seem the only OS's in the Cisco family that
> support this. IOS-XR since release 3.4.0 and NX-OS since 4.0(1).
> 
> By the way, i found this document written by Jeff Doyle about
> this subject:
> 
> http://www.networkworld.com/community/node/35767
> 
> 
> 
> Thanks.
> 
> Regards,
> 
> Antonio Soares, CCIE #18473 (R&S)
> amsoares at netcabo.pt
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brian Raaen
> Sent: quarta-feira, 17 de Dezembro de 2008 12:43
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] 32 bit ASN
> 
> I recently brought up the same question on NANOG.  Here is the thread
> 
> http://mailman.nanog.org/pipermail/nanog/2008-August/003347.html
> 
> As far as I can tell Cisco is really dragging their feet on
> this one, unless you are buying one of their Super-Deluxe
> model devices
> that runs on a different IOS.
> 
> 
> ----------------------
> 
> Brian Raaen
> Network Engineer
> braaen at zcorum.com
> 
> 
> On Wednesday 17 December 2008, Antonio Soares wrote:
>> Hello group,
>> 
>> Anybody knows if the 32-bit ASN feature is already
> available on Cisco IOS ?
> I didn't find this feature on Feature Navigator. It's
>> quite strange the fact no information seems to be available. RIPE
>> will start
> assigning 32-bit ASN's in 1/1/2009.
>> 
>> 
>> Thanks.
>> 
>> Regards,
>> 
>> Antonio Soares, CCIE #18473 (R&S)
>> amsoares at netcabo.pt
>> 
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From achatz at forthnet.gr  Wed Dec 17 12:52:48 2008
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Wed, 17 Dec 2008 19:52:48 +0200
Subject: [c-nsp] Rate limiting but on packet count not bandwidth
In-Reply-To: <20081217162511.GA20802@kallisti.us>
References: <Pine.GSO.4.44.0812171557420.19242-100000@jessie>
	<20081217162511.GA20802@kallisti.us>
Message-ID: <49493C70.4070609@forthnet.gr>

Some platforms support the "police rate x pps" command, but i don't know if this should be 
used for CoPPs exclusively.

"storm-control unicast" should block all unknown unicast, which is probably not what 
Primoz wants (besides the vlan/trunk matter).


-- 
Tassos

Ross Vandegrift wrote on 17/12/2008 18:25:
> On Wed, Dec 17, 2008 at 04:00:56PM +0100, Primoz Jeroncic wrote:
>> Hi guys
>>
>> Does anyone have any idea if rate limiting traffic based on packet
>> count would be possible on Cat3550/3560/3570 or any Cisco router?
>> I would need to limit some users which don't generate much of
>> traffic (only about 5 or 6Mbps), but packet count is huge (30k+ per sec).
>>
>> So is there some option to limit their fraffic to let's say 5000packets/sec
>> regardless on bandwidth they use?
> 
> I've wanted this on Catalyst platforms for a long time, it doesn't
> really exist.  On your platforms, you should be able to apply unicast
> storm-control to control the number of pps on a per-physical port
> basis, but you can't write a QoS policy that can be applied in
> general.  Doesn't seem to be any way to do it on a VLAN.  If you
> enable it on a trunk port, all VLANs will be dropped when one exceeds
> the threshold - probably not what you want.
> 
> Ross
> 


From notrevebr at gmail.com  Wed Dec 17 13:08:08 2008
From: notrevebr at gmail.com (Everton Diniz)
Date: Wed, 17 Dec 2008 16:08:08 -0200
Subject: [c-nsp] How to set port bandwidth on CatOS
Message-ID: <3cf174360812171008sb3070b0oaad6f88d4eb5ed7f@mail.gmail.com>

Hi all,

How can i set bandwidth on Sw running CatOS?

Like IOS:
int f1/1
band 10000

Tks All

From tdurack at gmail.com  Wed Dec 17 13:21:24 2008
From: tdurack at gmail.com (Tim Durack)
Date: Wed, 17 Dec 2008 13:21:24 -0500
Subject: [c-nsp] MPLS-VPN migration
In-Reply-To: <021c01c9606c$80de5a40$829b0ec0$@net>
References: <9e246b4d0812170754y464d5aabmcda35c45948b3c65@mail.gmail.com>
	<021c01c9606c$80de5a40$829b0ec0$@net>
Message-ID: <9e246b4d0812171021o612dc3cbsaea482fec76caa2a@mail.gmail.com>

On Wed, Dec 17, 2008 at 12:25 PM, Luan Nguyen <luan at netcraftsmen.net> wrote:
> Let me try thinking out loud :)
> There BGP support for IP prefix import into VRF table:
> http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_bgivt.htm
> l
> You could use static routes as well.

Looked at that. Trouble is the static routes have to specify next-hop,
which isn't going to be very scalable for directly-connected VLAN
interfaces.

> For dynamic, some people create two tunnels, same router, same subnet,
> sourced from different loopbacks.  With one tunnel interface in the vrf, one
> in the global routing table
>
>
> ip vrf CUSTOMER1
> rd
> route-target export
> route-target import
> !
> interface Tunnel100
> description VRF_CUSTOMER1_BRIDGE_TO_GLOBAL_ROUTING_TABLE
> bandwidth 50000
> ip vrf forwarding CUSTOMER1
> ip address 172.31.254.254 255.255.255.252
> load-interval 30
> tunnel source x.x.x.x
> tunnel destination y.y.y.y
> !
> interface Tunnel200
> description GLOBAL_ROUTING_TABLE_BRIDGE_TO_VRF_CUSTOMER1
> bandwidth 50000
> ip address 172.31.254.253 255.255.255.252
> ip virtual-reassembly
> load-interval 30
> tunnel source y.y.y.y
> tunnel destination x.x.x.x

And point statics at the tunnel? I guess that could work.

I was hoping to do something along the lines of:

http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/bgp_router_id_ps6017_TSD_Products_Configuration_Guide_Chapter.html#wp1055073

But it looks like this only works for VRF<->VRF BGP sessions, not VRF<->GLOBAL.

Tim:>

From lee.e.rian at census.gov  Wed Dec 17 13:22:22 2008
From: lee.e.rian at census.gov (lee.e.rian at census.gov)
Date: Wed, 17 Dec 2008 13:22:22 -0500
Subject: [c-nsp] to tweek SPD or not to tweek SPD
In-Reply-To: <6fcc278a0812110314q1a213910q4c3dd682979541da@mail.gmail.com>
Message-ID: <OF15C5D711.C758C476-ON85257522.00621A71-85257522.0064ECBE@census.gov>

"Jose Conceicao" <conceicao.jose at gmail.com> wrote on 12/11/2008 06:14:02 
AM:

> Hi
> 
> Under what conditions would it be deemed wise to tweek SPD or disable it
> altogether?

Since noboby else seems to want to touch this..  I wouldn't disable SPD 
since it allows extra input buffering for things like routing packets that 
you really don't want to be dropped (eg. eigrp).

As far as I know, you only need to tweak SPD on things like 6500s that 
don't automagically adjust the thresholds for you.  In my tests, 
increasing the input queue size on all interfaces on a real router (eg. 
7200) automatically changed the SPD thresholds.  Changing the input queue 
size on all interfaces on a 6500 didn't change a thing w/ SPD - I had to 
manually set the thresholds.

Regards,
Lee

From swmike at swm.pp.se  Wed Dec 17 14:13:11 2008
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Wed, 17 Dec 2008 20:13:11 +0100 (CET)
Subject: [c-nsp] Cisco 7206 - High CPU Utilization
In-Reply-To: <0BE527EE61205F409B0EDB4F6544552E01BE21C6@stewie.ceiva.local>
References: <0BE527EE61205F409B0EDB4F6544552E01BE20D4@stewie.ceiva.local><4948B693.6000908@infopact.nl>
	<0BE527EE61205F409B0EDB4F6544552E01BE21A5@stewie.ceiva.local>
	<FA1BA229357DB640B944218F3585FECA01BF9A01@mspe2k1.cs.myharris.net>
	<0BE527EE61205F409B0EDB4F6544552E01BE21C6@stewie.ceiva.local>
Message-ID: <alpine.DEB.1.10.0812172011130.7856@uplift.swm.pp.se>

On Wed, 17 Dec 2008, Spencer Barnes wrote:

> I removed all ACLs and Netflow but that did not have an effect.  I think
> I can move NAT to the core router for testing purposes, I'll try and do
> that tomorrow morning.  IOS version is (C7200-JK9O3S-M), Version
> 12.4(21).

If you're tunneling over 1500 media, doing "ip tcp mss-adjust 1300" on the 
interface where the traffic to encrypt/tunnel is passing 
unencrypted/untunneled, might help you. Worth a try though, you don't want 
multiple tunnel/encrypted packets per packet in the VPN.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From tincan at gmail.com  Wed Dec 17 14:28:36 2008
From: tincan at gmail.com (Inca)
Date: Wed, 17 Dec 2008 11:28:36 -0800
Subject: [c-nsp] L2TP over IPSec on an ASA using machine certificate
	authentication -- anyone has success?
Message-ID: <f8da69c80812171128o295157f0v5f8386d4bfebbe6d@mail.gmail.com>

Has anyone has success implementing L2TP over IPSec remote access VPN
using machine certificate for phase 1 negotiation (instead of
pre-shared key)? If we use pre-shared key for the phase 1 negotiation,
the VPN connection is successful. But once we switch over to using
certificate for phase 1 negotiation, ISAKMP just doesn't seem to
complete properly enough for phase 2 to kick in (although "debug
crypto isakmp 255" on the ASA does say that "PHASE 1 COMPLETED",
"debug crypto ipsec 255" returns no messages). The machine and root
certificates on the OS X 10.5.5 client were successfully imported into
the keychain; the trust point on the ASA5510 is also setup properly.
Yet, for some reason, the phase 1 negotiation just doesn't seem to
jive well. We also tested using a Windows XP client machine, but that
didn't work either. If anyone has had success with implementing L2TP
over IPSec using machine certificate, I sure would appreciate any
pointers. I've included debug messages from both the client and the
ASA.

TIA,
Inca


Remote access client (Mac OS X 10.5.5, at 172.17.1.1)
-------------------------------------------------------------------------
Wed Dec 17 10:54:49 2008 : L2TP connecting to server '192.168.254.254'
(192.168.254.254)...
Wed Dec 17 10:54:52 2008 : L2TP sent SCCRQ
Wed Dec 17 10:54:52 2008 : IPSec connection started
Wed Dec 17 10:54:52 2008 : IPSec phase 1 client started
Wed Dec 17 10:54:52 2008 : IPSec phase 1 server replied
Wed Dec 17 10:54:52 2008 : IPSec connection failed <IKE Error 18
(0x12) Invalid id information>




ASA5510 (running software 8.0(4)16, at 192.168.254.254)
-----------------------------------------------------------------------------
Dec 17 10:54:38 [IKEv1]: IP = 172.17.1.1, IKE_DECODE RECEIVED Message
(msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) +
VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) +
VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total
length : 300
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing SA payload
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, Oakley proposal is acceptable
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, Received NAT-Traversal RFC VID
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, Received NAT-Traversal
ver 03 VID
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, Received NAT-Traversal
ver 02 VID
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, Received DPD VID
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing IKE SA payload
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, IKE SA Proposal # 1,
Transform # 1 acceptable  Matches global IKE entry # 10
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing ISAKMP SA payload
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing
NAT-Traversal VID ver 02 payload
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing
Fragmentation VID + extended capabilities payload
Dec 17 10:54:38 [IKEv1]: IP = 172.17.1.1, IKE_DECODE SENDING Message
(msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) +
NONE (0) total length : 124
Dec 17 10:54:39 [IKEv1]: IP = 172.17.1.1, IKE_DECODE RECEIVED Message
(msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) +
NAT-D (130) + NONE (0) total length : 228
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, processing ke payload
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, processing ISA_KE payload
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, processing nonce payload
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, processing NAT-Discovery payload
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, computing NAT Discovery hash
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, processing NAT-Discovery payload
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, computing NAT Discovery hash
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing ke payload
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing nonce payload
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing certreq payload
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing certreq payload
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing Cisco
Unity VID payload
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing xauth V6
VID payload
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, Send IOS VID
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, Constructing ASA
spoofing IOS Vendor ID payload (version: 1.0.0, capabilities:
20000001)
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing VID payload
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, Send Altiga/Cisco
VPN3000/Cisco ASA GW VID
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing
NAT-Discovery payload
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, computing NAT Discovery hash
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing
NAT-Discovery payload
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, computing NAT Discovery hash
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, Generating keys for Responder...
Dec 17 10:54:39 [IKEv1]: IP = 172.17.1.1, IKE_DECODE SENDING Message
(msgid=0) with payloads : HDR + KE (4) + NONCE (10) + CERT_REQ (7) +
CERT_REQ (7) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) +
NAT-D (130) + NAT-D (130) + NONE (0) total length : 623
Dec 17 10:54:39 [IKEv1]: IP = 172.17.1.1, IKE_DECODE RECEIVED Message
(msgid=0) with payloads : HDR + ID (5) + CERT (6) + SIG (9) + CERT_REQ
(7) + NONE (0) total length : 1509
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, processing ID payload
Dec 17 10:54:39 [IKEv1 DECODE]: IP = 172.17.1.1, DER_ASN1_DN ID
received, len 148
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, processing cert payload
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, processing RSA signature
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, Computing hash for ISAKMP
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, processing cert request payload
Dec 17 10:54:39 [IKEv1]: IP = 172.17.1.1, Automatic NAT Detection
Status:     Remote end is NOT behind a NAT device     This   end is
NOT behind a NAT device
Dec 17 10:54:39 [IKEv1]: IP = 172.17.1.1, Trying to find group via OU...
Dec 17 10:54:39 [IKEv1]: IP = 172.17.1.1, No Group found by matching
OU(s) from ID payload:   ou=Information Management Systems and
Services,
Dec 17 10:54:39 [IKEv1]: IP = 172.17.1.1, Trying to find group via IKE ID...
Dec 17 10:54:39 [IKEv1]: IP = 172.17.1.1, Trying to find group via IP ADDR...
Dec 17 10:54:39 [IKEv1]: IP = 172.17.1.1, Trying to find group via
default group...
Dec 17 10:54:39 [IKEv1]: IP = 172.17.1.1, Connection landed on
tunnel_group DefaultRAGroup
Dec 17 10:54:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP =
172.17.1.1, peer ID type 9 received (DER_ASN1_DN)
Dec 17 10:54:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP =
172.17.1.1, constructing ID payload
Dec 17 10:54:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP =
172.17.1.1, constructing cert payload
Dec 17 10:54:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP =
172.17.1.1, constructing RSA signature
Dec 17 10:54:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP =
172.17.1.1, Computing hash for ISAKMP
Dec 17 10:54:39 [IKEv1 DECODE]: Constructed Signature Len: 128
Dec 17 10:54:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP =
172.17.1.1, constructing dpd vid payload
Dec 17 10:54:39 [IKEv1]: IP = 172.17.1.1, IKE_DECODE SENDING Message
(msgid=0) with payloads : HDR + ID (5) + CERT (6) + SIG (9) + VENDOR
(13) + NONE (0) total length : 1510
Dec 17 10:54:39 [IKEv1]: Group = DefaultRAGroup, IP = 172.17.1.1,
PHASE 1 COMPLETED
Dec 17 10:54:39 [IKEv1]: IP = 172.17.1.1, Keep-alive type for this
connection: DPD
Dec 17 10:54:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP =
172.17.1.1, Starting P1 rekey timer: 2700 seconds.
Dec 17 10:54:39 [IKEv1]: Group = DefaultRAGroup, IP = 172.17.1.1,
Received encrypted Oakley Informational packet with invalid payloads,
MessID = 3526517605

From ml at t-b-o-h.net  Wed Dec 17 15:54:01 2008
From: ml at t-b-o-h.net (Tuc at T-B-O-H)
Date: Wed, 17 Dec 2008 15:54:01 -0500 (EST)
Subject: [c-nsp] Any good filters for syslog output
Message-ID: <200812172054.mBHKs1iY055902@vjofn.tucs-beachin-obx-house.com>

Hi,

	We are going to be monitoring the syslog output (We already have
a product (Zenoss)). Does anyone know of a repository of the "Watch
for these regular expressions" to decide what is worth looking into, and
whats worth ignoring.

		Thanks, Tuc

From dale.shaw+cisco-nsp at gmail.com  Wed Dec 17 17:17:58 2008
From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw)
Date: Thu, 18 Dec 2008 09:17:58 +1100
Subject: [c-nsp] How to set port bandwidth on CatOS
In-Reply-To: <3cf174360812171008sb3070b0oaad6f88d4eb5ed7f@mail.gmail.com>
References: <3cf174360812171008sb3070b0oaad6f88d4eb5ed7f@mail.gmail.com>
Message-ID: <3329cbb40812171417o2ceb34d6o76e976cd9651b31a@mail.gmail.com>

Hi Everton,

On Thu, Dec 18, 2008 at 5:08 AM, Everton Diniz <notrevebr at gmail.com> wrote:
>
> How can i set bandwidth on Sw running CatOS?
>
> Like IOS:
> int f1/1
> band 10000

The "bandwidth" command in IOS doesn't actually change the bandwidth
of an interface -- it's used by other higher layer processes like
routing protocols, queueing etc. For example, you might have an
Ethernet port with an access speed of 100Mbps, but your upstream is
policing on ingress to 35Mbps. In this case, specifying "bandwidth
35000" would likely help other IOS subsystems make proper decisions.

On Ethernet interfaces, it's the "speed" interface command that
changes the interface speed (10Mbps, 100Mbps, 1Gbps, 10Gbps etc.)  To
set duplex, it's the "duplex" command (auto, half, full).

CatOS is a L2 switching operating system - no L3 support - and
therefore does not have an interface command equivalent to
"bandwidth". Routing on CatOS-based systems is handled by a separate
module, which, not surprisingly, runs IOS.

The equivalent speed and duplex commands in CatOS are: "set port speed
.." and "set port duplex .."

cheers,
Dale

From peter at rathlev.dk  Wed Dec 17 17:52:49 2008
From: peter at rathlev.dk (Peter Rathlev)
Date: Wed, 17 Dec 2008 23:52:49 +0100
Subject: [c-nsp] Any good filters for syslog output
In-Reply-To: <200812172054.mBHKs1iY055902@vjofn.tucs-beachin-obx-house.com>
References: <200812172054.mBHKs1iY055902@vjofn.tucs-beachin-obx-house.com>
Message-ID: <1229554369.13223.19.camel@localhost.localdomain>

On Wed, 2008-12-17 at 15:54 -0500, Tuc at T-B-O-H wrote:
> We are going to be monitoring the syslog output (We already have
> a product (Zenoss)). Does anyone know of a repository of the "Watch
> for these regular expressions" to decide what is worth looking into,
> and whats worth ignoring.

I don't know of a repository but would also gladly hear about one. Until
we find it, we use what should have been "common sense", but often turns
out to be circumstances/arbitrary. :-)

For our access-switches this means ignoring "^%CDP-4-DUPLEX_MISMATCH.*,
with SEP" (we don't generally disable CDP downstream (I know!) and
sometimes people use Cisco IP phones / ATA boxes behind non-CDP
switches. What gives?). For the same general reason we don't always
react immediately on seeing "^%CDP-4-NATIVE_VLAN_MISMATCH". (It's a
"yellow" code.)

Generally we ignore link/line-proto changes in VLAN interfaces, relying
on only changes in physical interfaces. That means that we always ignore
"^%LINEPROTO-5-UPDOWN.* Vlan.* up ".

Most other messages are collected, logged and mailed to the NOC. A few
message types are reacted upon in a more direct way, sending out text
messages (SMS) to several people and playing irritating sounds from
hidden speakers in the NOC. Those are messages like "^%LDP-5-NBGCHG.* is
DOWN", "^%BGP-5-ADJCHANGE.* Down" and "^%ENVM-4-ENVWARN".

Apart from this we correlate logs on anomalities, e.g. an RTR probe
exceeding some threshold or a NFsen alert being triggered. The
correlation is strictly time based, but it usually gives an operator
some clue as to what's happening.

Regards,
Peter



From paul at paulstewart.org  Wed Dec 17 18:03:57 2008
From: paul at paulstewart.org (Paul Stewart)
Date: Wed, 17 Dec 2008 18:03:57 -0500
Subject: [c-nsp] Any good filters for syslog output
In-Reply-To: <1229554369.13223.19.camel@localhost.localdomain>
References: <200812172054.mBHKs1iY055902@vjofn.tucs-beachin-obx-house.com>
	<1229554369.13223.19.camel@localhost.localdomain>
Message-ID: <004c01c9609b$d6487540$82d95fc0$@org>

Splunk is really good for that.... used to use Swatch years ago, not sure if
it's still around at all....

We're looking at integrating Splunk into our monitoring platform in the next
year or so (Cittio Watchtower).

Paul


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Rathlev
Sent: December 17, 2008 5:53 PM
To: Tuc at T-B-O-H
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Any good filters for syslog output

On Wed, 2008-12-17 at 15:54 -0500, Tuc at T-B-O-H wrote:
> We are going to be monitoring the syslog output (We already have
> a product (Zenoss)). Does anyone know of a repository of the "Watch
> for these regular expressions" to decide what is worth looking into,
> and whats worth ignoring.

I don't know of a repository but would also gladly hear about one. Until
we find it, we use what should have been "common sense", but often turns
out to be circumstances/arbitrary. :-)

For our access-switches this means ignoring "^%CDP-4-DUPLEX_MISMATCH.*,
with SEP" (we don't generally disable CDP downstream (I know!) and
sometimes people use Cisco IP phones / ATA boxes behind non-CDP
switches. What gives?). For the same general reason we don't always
react immediately on seeing "^%CDP-4-NATIVE_VLAN_MISMATCH". (It's a
"yellow" code.)

Generally we ignore link/line-proto changes in VLAN interfaces, relying
on only changes in physical interfaces. That means that we always ignore
"^%LINEPROTO-5-UPDOWN.* Vlan.* up ".

Most other messages are collected, logged and mailed to the NOC. A few
message types are reacted upon in a more direct way, sending out text
messages (SMS) to several people and playing irritating sounds from
hidden speakers in the NOC. Those are messages like "^%LDP-5-NBGCHG.* is
DOWN", "^%BGP-5-ADJCHANGE.* Down" and "^%ENVM-4-ENVWARN".

Apart from this we correlate logs on anomalities, e.g. an RTR probe
exceeding some threshold or a NFsen alert being triggered. The
correlation is strictly time based, but it usually gives an operator
some clue as to what's happening.

Regards,
Peter


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



From andy.saykao at staff.netspace.net.au  Wed Dec 17 18:32:31 2008
From: andy.saykao at staff.netspace.net.au (Andy Saykao)
Date: Thu, 18 Dec 2008 10:32:31 +1100
Subject: [c-nsp] Any good filters for syslog output (Tuc at T-B-O-H)
Message-ID: <56F211C5E3F24F47B103EA1B253822BE03654AFF@vic-cr-ex1.staff.netspace.net.au>

You can use OSSEC (http://www.ossec.net/) to monitor your log files for
you. It's pretty easy to set up and then you can set up your own custom
filters like below. When OSSEC finds a match in the log it will email
you.

For example we have OSSEC monitoring a few syslog messages like:

<rule id="100002" level="3">
    <match>%SEC-6-IPACCESSLOG</match>
    <description>Unauthorized access.</description>
</rule>

<rule id="100003" level="10">
    <match>Privilege level set to 15</match>
    <description>User has entered enable mode.</description>
</rule>

Hope that helps.

Cheers.

Andy

This email and any files transmitted with it are confidential and intended
 solely for the use of the individual or entity to whom they are addressed. 
Please notify the sender immediately by email if you have received this 
email by mistake and delete this email from your system. Please note that
 any views or opinions presented in this email are solely those of the
 author and do not necessarily represent those of the organisation. 
Finally, the recipient should check this email and any attachments for 
the presence of viruses. The organisation accepts no liability for any 
damage caused by any virus transmitted by this email.


From skeeve at skeeve.org  Wed Dec 17 20:02:40 2008
From: skeeve at skeeve.org (Skeeve Stevens)
Date: Thu, 18 Dec 2008 12:02:40 +1100
Subject: [c-nsp] HWIC-3G-GSM vs 881G
Message-ID: <!&!AAAAAAAAAAAYAAAAAAAAAN5U5OuspydJheQZRk7Gfl7CgAAAEAAAAEzaLgNL7CZNrWo/xurpvdcBAAAAAA==@skeeve.org>

Are there any technical differences between the HWIC-3G-GSM in an 1841 and a
881G (with 3G) ?

Better performance? Technically or anything?

Thanks.

--
Skeeve Stevens, RHCE
skeeve at skeeve.org / www.skeeve.org
Cell +61 (0)414 753 383 / skype://skeeve

eintellego - skeeve at eintellego.net - www.eintellego.net 
--
I'm a groove licked love child king of the verse 
Si vis pacem, para bellum



From luan at netcraftsmen.net  Wed Dec 17 21:55:39 2008
From: luan at netcraftsmen.net (Luan Nguyen)
Date: Wed, 17 Dec 2008 21:55:39 -0500
Subject: [c-nsp] MPLS-VPN migration
In-Reply-To: <9e246b4d0812171021o612dc3cbsaea482fec76caa2a@mail.gmail.com>
References: <9e246b4d0812170754y464d5aabmcda35c45948b3c65@mail.gmail.com>	
	<021c01c9606c$80de5a40$829b0ec0$@net>
	<9e246b4d0812171021o612dc3cbsaea482fec76caa2a@mail.gmail.com>
Message-ID: <029001c960bc$1c035b70$540a1250$@net>

You could run routing protocol inside the (DMVPN) tunnel like OSPF and
redistribute using MP-BGP.

router ospf 1 vrf CUSTOMER1  <---VRF instance of OSPF
network [tunnel interface ip network] area 0
redistribute bgp 65535 subnets route-map redis-bgp-vrf-CUSTOMER1-to-ospf  
!
Router ospf 2
Network [tunnel interface ip network] area 0
!
router bgp 65535
address-family ipv4 vrf CUSTOMER1
redistribute ospf 1 vrf CUSTOMER1 route-map redis-ospf-to-bgp-vrf

Regards,

Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net



-----Original Message-----
From: Tim Durack [mailto:tdurack at gmail.com] 
Sent: Wednesday, December 17, 2008 1:21 PM
To: Luan Nguyen
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] MPLS-VPN migration

On Wed, Dec 17, 2008 at 12:25 PM, Luan Nguyen <luan at netcraftsmen.net> wrote:
> Let me try thinking out loud :)
> There BGP support for IP prefix import into VRF table:
>
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_bgivt.htm
> l
> You could use static routes as well.

Looked at that. Trouble is the static routes have to specify next-hop,
which isn't going to be very scalable for directly-connected VLAN
interfaces.

> For dynamic, some people create two tunnels, same router, same subnet,
> sourced from different loopbacks.  With one tunnel interface in the vrf,
one
> in the global routing table
>
>
> ip vrf CUSTOMER1
> rd
> route-target export
> route-target import
> !
> interface Tunnel100
> description VRF_CUSTOMER1_BRIDGE_TO_GLOBAL_ROUTING_TABLE
> bandwidth 50000
> ip vrf forwarding CUSTOMER1
> ip address 172.31.254.254 255.255.255.252
> load-interval 30
> tunnel source x.x.x.x
> tunnel destination y.y.y.y
> !
> interface Tunnel200
> description GLOBAL_ROUTING_TABLE_BRIDGE_TO_VRF_CUSTOMER1
> bandwidth 50000
> ip address 172.31.254.253 255.255.255.252
> ip virtual-reassembly
> load-interval 30
> tunnel source y.y.y.y
> tunnel destination x.x.x.x

And point statics at the tunnel? I guess that could work.

I was hoping to do something along the lines of:

http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/bgp_router_i
d_ps6017_TSD_Products_Configuration_Guide_Chapter.html#wp1055073

But it looks like this only works for VRF<->VRF BGP sessions, not
VRF<->GLOBAL.

Tim:>


From ney25 at hotmail.com  Thu Dec 18 01:58:03 2008
From: ney25 at hotmail.com (Jack)
Date: Thu, 18 Dec 2008 14:58:03 +0800
Subject: [c-nsp] STP or HSRP problem ?
Message-ID: <BAY126-DS4C71B9DAAE36665274AB3BAF30@phx.gbl>

Hi,

anyone who has experienced or encountered this ?

HSRP configuration has no problem and root bridge as well.

but this logs only happened in Sw1. whereby sw2 has no suspicious error symptom found. 

Dec 12 15:40:24.556 CCT: %STANDBY-6-STATECHANGE: Vlan10 Group 1 state Standby -> Active 
Dec 12 15:40:24.564 CCT: %STANDBY-6-STATECHANGE: Vlan10 Group 1 state Active -> Speak 


Regards,
Jack

From avayner at cisco.com  Thu Dec 18 02:11:42 2008
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Thu, 18 Dec 2008 08:11:42 +0100
Subject: [c-nsp] MPLS-VPN migration
In-Reply-To: <9e246b4d0812170754y464d5aabmcda35c45948b3c65@mail.gmail.com>
References: <9e246b4d0812170754y464d5aabmcda35c45948b3c65@mail.gmail.com>
Message-ID: <67F7C1FAF83A074AA3520D8F155782A50258F8E0@xmb-ams-331.emea.cisco.com>

Tim,

Another option is to attach the existing network to the relevant VPN as
a CE, and maintain connectivity to the non-migrated sites through the
old topology, while every migrated site would become reachable via the
VPN.

In this case you just connect the old network through an "ASBR" to a
major PE (you can have 2 or 3, but would be easier in active/standby if
BW is not the issue etc as you would be creating backdoor links inside
the VPN). As soon as the old network is connected, you can run expand
the IGP of the global routing into the VPN, so reachability would be
maintained.

Let me know if you want to explore this a bit more.

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tim Durack
Sent: Wednesday, December 17, 2008 17:54
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] MPLS-VPN migration

Looking for some "creative" ideas on how best to accomplish this:

We are migrating a traditional enterprise-style IP network to an
MPLS-VPN network. All the infrastructure MPLS/IGP/MP-BGP work is
essentially done (it's a purely PE-PE network, no P routers anywhere.)

All "customer" networks are still in the global table. I need to
migrate them into VPN groups, but maintain full reachability between
global and VRFs during the migration. Route-leaking will be configured
between VRFs, and at a later stage some kind of firewall will be
employed between VPNs. The hard part is getting everything into the
VPNs first (without anyone noticing too much :-)

Ideally I'd like to bring up BGP sessions between the global table and
VRFs on each PE. I notice I can do BGP sessions between VRFs, but
can't quite wrap my head around global->VRF BGP. Is this even
possible?

Thanks for thinking about it.

Tim:>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From saku+cisco-nsp at ytti.fi  Thu Dec 18 02:37:11 2008
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Thu, 18 Dec 2008 09:37:11 +0200
Subject: [c-nsp] SoO causing 1-member update groups
In-Reply-To: <20081216213746.GY97614@elvis.mu.org>
References: <20081216213746.GY97614@elvis.mu.org>
Message-ID: <20081218073711.GA2151@mx.ytti.net>

On (2008-12-16 13:37 -0800), bill fumerola wrote:

Hey Bill,

> why does adding an external community to a route (via a route-map)
> impact the neighbor itself? i realize in later versions of IOS this
> command was added to the per-{neighbor,peer-group,peer-policy} stanzas.

I'm trying to think how else it could work, and I'm drawing blank. Since
when neighbour has been set with SoO, you will have to send different
routes to that neighbour, as you omit sending any routes that already
have that SoO set.
I guess SoO could have been implemented as some filter post update-group,
but that would have introduced more complexity.

-- 
  ++ytti

From lists at daniels.id.au  Thu Dec 18 03:12:46 2008
From: lists at daniels.id.au (Aaron Daniels - Lists)
Date: Thu, 18 Dec 2008 18:12:46 +1000
Subject: [c-nsp] MPLS-VPN migration
In-Reply-To: <9e246b4d0812170754y464d5aabmcda35c45948b3c65@mail.gmail.com>
References: <9e246b4d0812170754y464d5aabmcda35c45948b3c65@mail.gmail.com>
Message-ID: <01d401c960e8$6bc17710$43446530$@id.au>

We just tackled this one in our organisation.

2 Gotchas.

1. Router-id must be different between peers, make sure your code supports
vrf specific router-id.
2. iBGP was very messy IMHO, so we went with eBGP using local-as to have
each vrf appear to be a different 65xxx AS

I can sent you my lab config's tomorrow.

Thanks,
Aaron

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Tim Durack
> Sent: Thursday, 18 December 2008 1:54 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] MPLS-VPN migration
> 
> Looking for some "creative" ideas on how best to accomplish this:
> 
> We are migrating a traditional enterprise-style IP network to an
> MPLS-VPN network. All the infrastructure MPLS/IGP/MP-BGP work is
> essentially done (it's a purely PE-PE network, no P routers anywhere.)
> 
> All "customer" networks are still in the global table. I need to
> migrate them into VPN groups, but maintain full reachability between
> global and VRFs during the migration. Route-leaking will be configured
> between VRFs, and at a later stage some kind of firewall will be
> employed between VPNs. The hard part is getting everything into the
> VPNs first (without anyone noticing too much :-)
> 
> Ideally I'd like to bring up BGP sessions between the global table and
> VRFs on each PE. I notice I can do BGP sessions between VRFs, but
> can't quite wrap my head around global->VRF BGP. Is this even
> possible?
> 
> Thanks for thinking about it.
> 
> Tim:>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From oboehmer at cisco.com  Thu Dec 18 04:00:33 2008
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Thu, 18 Dec 2008 10:00:33 +0100
Subject: [c-nsp] SoO causing 1-member update groups
In-Reply-To: <20081218073711.GA2151@mx.ytti.net>
References: <20081216213746.GY97614@elvis.mu.org>
	<20081218073711.GA2151@mx.ytti.net>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED784069448FB@xmb-ams-333.emea.cisco.com>

Saku Ytti <> wrote on Thursday, December 18, 2008 08:37:

> On (2008-12-16 13:37 -0800), bill fumerola wrote:
> 
> Hey Bill,
> 
>> why does adding an external community to a route (via a route-map)
>> impact the neighbor itself? i realize in later versions of IOS this
>> command was added to the per-{neighbor,peer-group,peer-policy}
>> stanzas. 
> 
> I'm trying to think how else it could work, and I'm drawing blank.
> Since when neighbour has been set with SoO, you will have to send
> different routes to that neighbour, as you omit sending any routes
> that already have that SoO set.

Well, this is true, but Bill had the same SoO community configured on
all peers, so they all share the same outbound routing policy, and thus
fall all into the same update-group. This was just recently fixed via
CSCso80951 (BGP peers with same policy fall into different update-group
with SOO).

Bill: Not sure if I would use SoO for your purpose due to its dual
semantic: It tags a BGP path (which is what you want to achieve), but it
also implicitly filters those paths outbound on peers setting the same
SoO value inbound (which might or might not be intentional).
 
	oli

From eric at atlantech.net  Thu Dec 18 06:52:58 2008
From: eric at atlantech.net (Eric Van Tol)
Date: Thu, 18 Dec 2008 06:52:58 -0500
Subject: [c-nsp] Any good filters for syslog output
In-Reply-To: <200812172054.mBHKs1iY055902@vjofn.tucs-beachin-obx-house.com>
References: <200812172054.mBHKs1iY055902@vjofn.tucs-beachin-obx-house.com>
Message-ID: <2C05E949E19A9146AF7BDF9D44085B863514034B6B@exchange.aoihq.local>

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Tuc at T-B-O-H
> Sent: Wednesday, December 17, 2008 3:54 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Any good filters for syslog output
> 
> Hi,
> 
> 	We are going to be monitoring the syslog output (We already have
> a product (Zenoss)). Does anyone know of a repository of the "Watch
> for these regular expressions" to decide what is worth looking into, and
> whats worth ignoring.
> 
> 		Thanks, Tuc

If you're looking for a supported, proprietary product, check out Solarwinds Orion - much more than just a syslog repository, though.  You are able to store syslogs in a SQL database, create rules for syslogs based upon source IP, source hostname, message type (%LINK-4-ERROR, etc.), and message contents.  You can also do fancy things like forward the syslog to another syslog server, send an email/page, modify the message, and do time-of-day rules.  On the downside, if all you need is a syslog server, you have to pay for the entire Orion suite, which is pretty expensive.

-evt

From willay at gmail.com  Thu Dec 18 07:02:54 2008
From: willay at gmail.com (William)
Date: Thu, 18 Dec 2008 12:02:54 +0000
Subject: [c-nsp] Any good filters for syslog output
In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B863514034B6B@exchange.aoihq.local>
References: <200812172054.mBHKs1iY055902@vjofn.tucs-beachin-obx-house.com>
	<2C05E949E19A9146AF7BDF9D44085B863514034B6B@exchange.aoihq.local>
Message-ID: <a24358fb0812180402g197a9ae0r5a8e0f2df84f2246@mail.gmail.com>

We use a combo of syslog-ng+swatch for our filtering which can do
quite a lot for free, any more tips on what messages people are
looking for on Cisco networks would be appreciated.

Cheers,

W

2008/12/18 Eric Van Tol <eric at atlantech.net>:
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
>> bounces at puck.nether.net] On Behalf Of Tuc at T-B-O-H
>> Sent: Wednesday, December 17, 2008 3:54 PM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] Any good filters for syslog output
>>
>> Hi,
>>
>>       We are going to be monitoring the syslog output (We already have
>> a product (Zenoss)). Does anyone know of a repository of the "Watch
>> for these regular expressions" to decide what is worth looking into, and
>> whats worth ignoring.
>>
>>               Thanks, Tuc
>
> If you're looking for a supported, proprietary product, check out Solarwinds Orion - much more than just a syslog repository, though.  You are able to store syslogs in a SQL database, create rules for syslogs based upon source IP, source hostname, message type (%LINK-4-ERROR, etc.), and message contents.  You can also do fancy things like forward the syslog to another syslog server, send an email/page, modify the message, and do time-of-day rules.  On the downside, if all you need is a syslog server, you have to pay for the entire Orion suite, which is pretty expensive.
>
> -evt
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From Marcus.Gerdon at versatel.de  Thu Dec 18 05:55:01 2008
From: Marcus.Gerdon at versatel.de (Marcus.Gerdon)
Date: Thu, 18 Dec 2008 11:55:01 +0100
Subject: [c-nsp] 32 bit ASN
Message-ID: <9F66B1E4971A064794AF6AB952A3ADDD054C588A@VTSVEXCH01.versatel.local>

Hi @All,

what information I got regarding AS32 is somewhat worrysome:

12.0(32)S12		Q4/2008
	for 72 & GSR

12.4(24)T		Q1/2009
	ISR's, 72, 73

12.2SRE		Q3-Q4/2009
	for 72 & 76

12.2SXI		unspecified late 2009
	for 65

12.2SB no longer for 72, only 10k


At least they'll go for asplain, so messing around with the regex to get asdot (maybe optionally supported...?) implemented is history.


regards,

Marcus

> -----Urspr?ngliche Nachricht-----
> Von: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] Im Auftrag von Martin Moens
> Gesendet: Mittwoch, 17. Dezember 2008 18:46
> An: cisco-nsp at puck.nether.net
> Betreff: Re: [c-nsp] 32 bit ASN
> 
> My Cisco SE told me lat week 32b ASN will be supported in:
> 12.2(33)SRE for 7600 and 7200,  due Q3 2009 :-(
> 12.4(24)T for ISR 28xx/38xx and 7200,  due april 2009
> 
> Martin
> 
> 
> cisco-nsp-bounces at puck.nether.net <> wrote on 17/12/2008 17:32:
> 
> > Thanks Brian.
> > 
> > IOS-XR and NX-OS seem the only OS's in the Cisco family that
> > support this. IOS-XR since release 3.4.0 and NX-OS since 4.0(1).
> > 
> > By the way, i found this document written by Jeff Doyle about
> > this subject:
> > 
> > http://www.networkworld.com/community/node/35767
> > 
> > 
> > 
> > Thanks.
> > 
> > Regards,
> > 
> > Antonio Soares, CCIE #18473 (R&S)
> > amsoares at netcabo.pt
> > 
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brian Raaen
> > Sent: quarta-feira, 17 de Dezembro de 2008 12:43
> > To: cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] 32 bit ASN
> > 
> > I recently brought up the same question on NANOG.  Here is 
> the thread
> > 
> > http://mailman.nanog.org/pipermail/nanog/2008-August/003347.html
> > 
> > As far as I can tell Cisco is really dragging their feet on
> > this one, unless you are buying one of their Super-Deluxe
> > model devices
> > that runs on a different IOS.
> > 
> > 
> > ----------------------
> > 
> > Brian Raaen
> > Network Engineer
> > braaen at zcorum.com
> > 
> > 
> > On Wednesday 17 December 2008, Antonio Soares wrote:
> >> Hello group,
> >> 
> >> Anybody knows if the 32-bit ASN feature is already
> > available on Cisco IOS ?
> > I didn't find this feature on Feature Navigator. It's
> >> quite strange the fact no information seems to be available. RIPE
> >> will start
> > assigning 32-bit ASN's in 1/1/2009.
> >> 
> >> 
> >> Thanks.
> >> 
> >> Regards,
> >> 
> >> Antonio Soares, CCIE #18473 (R&S)
> >> amsoares at netcabo.pt
> >> 
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >> 
> > 
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From amsoares at netcabo.pt  Thu Dec 18 07:51:26 2008
From: amsoares at netcabo.pt (Antonio Soares)
Date: Thu, 18 Dec 2008 12:51:26 -0000
Subject: [c-nsp] 32 bit ASN
In-Reply-To: <9F66B1E4971A064794AF6AB952A3ADDD054C588A@VTSVEXCH01.versatel.local>
References: <9F66B1E4971A064794AF6AB952A3ADDD054C588A@VTSVEXCH01.versatel.local>
Message-ID: <7B3E8F8E4E204974A78CAC2304607F88@int.convex.pt>

12.2SXI for the 6500 is already available. So i suppose it is the first IOS that supports this feature.


Regards,

Antonio Soares, CCIE #18473 (R&S)
amsoares at netcabo.pt

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Marcus.Gerdon
Sent: quinta-feira, 18 de Dezembro de 2008 10:55
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 32 bit ASN

Hi @All,

what information I got regarding AS32 is somewhat worrysome:

12.0(32)S12		Q4/2008
	for 72 & GSR

12.4(24)T		Q1/2009
	ISR's, 72, 73

12.2SRE		Q3-Q4/2009
	for 72 & 76

12.2SXI		unspecified late 2009
	for 65

12.2SB no longer for 72, only 10k


At least they'll go for asplain, so messing around with the regex to get asdot (maybe optionally supported...?) implemented is
history.


regards,

Marcus

> -----Urspr?ngliche Nachricht-----
> Von: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] Im Auftrag von Martin Moens
> Gesendet: Mittwoch, 17. Dezember 2008 18:46
> An: cisco-nsp at puck.nether.net
> Betreff: Re: [c-nsp] 32 bit ASN
> 
> My Cisco SE told me lat week 32b ASN will be supported in:
> 12.2(33)SRE for 7600 and 7200,  due Q3 2009 :-( 12.4(24)T for ISR 
> 28xx/38xx and 7200,  due april 2009
> 
> Martin
> 
> 
> cisco-nsp-bounces at puck.nether.net <> wrote on 17/12/2008 17:32:
> 
> > Thanks Brian.
> > 
> > IOS-XR and NX-OS seem the only OS's in the Cisco family that support 
> > this. IOS-XR since release 3.4.0 and NX-OS since 4.0(1).
> > 
> > By the way, i found this document written by Jeff Doyle about this 
> > subject:
> > 
> > http://www.networkworld.com/community/node/35767
> > 
> > 
> > 
> > Thanks.
> > 
> > Regards,
> > 
> > Antonio Soares, CCIE #18473 (R&S)
> > amsoares at netcabo.pt
> > 
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net 
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brian Raaen
> > Sent: quarta-feira, 17 de Dezembro de 2008 12:43
> > To: cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] 32 bit ASN
> > 
> > I recently brought up the same question on NANOG.  Here is
> the thread
> > 
> > http://mailman.nanog.org/pipermail/nanog/2008-August/003347.html
> > 
> > As far as I can tell Cisco is really dragging their feet on this 
> > one, unless you are buying one of their Super-Deluxe model devices 
> > that runs on a different IOS.
> > 
> > 
> > ----------------------
> > 
> > Brian Raaen
> > Network Engineer
> > braaen at zcorum.com
> > 
> > 
> > On Wednesday 17 December 2008, Antonio Soares wrote:
> >> Hello group,
> >> 
> >> Anybody knows if the 32-bit ASN feature is already
> > available on Cisco IOS ?
> > I didn't find this feature on Feature Navigator. It's
> >> quite strange the fact no information seems to be available. RIPE 
> >> will start
> > assigning 32-bit ASN's in 1/1/2009.
> >> 
> >> 
> >> Thanks.
> >> 
> >> Regards,
> >> 
> >> Antonio Soares, CCIE #18473 (R&S)
> >> amsoares at netcabo.pt
> >> 
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >> 
> > 
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From gert at greenie.muc.de  Thu Dec 18 08:35:18 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 18 Dec 2008 14:35:18 +0100
Subject: [c-nsp] 32 bit ASN
In-Reply-To: <7B3E8F8E4E204974A78CAC2304607F88@int.convex.pt>
References: <9F66B1E4971A064794AF6AB952A3ADDD054C588A@VTSVEXCH01.versatel.local>
	<7B3E8F8E4E204974A78CAC2304607F88@int.convex.pt>
Message-ID: <20081218133518.GE8535@greenie.muc.de>

Hi,

On Thu, Dec 18, 2008 at 12:51:26PM -0000, Antonio Soares wrote:
> 12.2SXI for the 6500 is already available. So i suppose it is the first IOS that supports this feature.

It doesn't.  Maybe planned for a later rebuild of SXI.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081218/8a4118b6/attachment.bin>

From peter at rathlev.dk  Thu Dec 18 09:16:37 2008
From: peter at rathlev.dk (Peter Rathlev)
Date: Thu, 18 Dec 2008 15:16:37 +0100
Subject: [c-nsp] STP or HSRP problem ?
In-Reply-To: <BAY126-DS4C71B9DAAE36665274AB3BAF30@phx.gbl>
References: <BAY126-DS4C71B9DAAE36665274AB3BAF30@phx.gbl>
Message-ID: <1229609797.7000.11.camel@localhost.localdomain>

On Thu, 2008-12-18 at 14:58 +0800, Jack wrote:
> anyone who has experienced or encountered this ?
> 
> HSRP configuration has no problem and root bridge as well.
> 
> but this logs only happened in Sw1. whereby sw2 has no suspicious
> error symptom found. 
> 
> Dec 12 15:40:24.556 CCT: %STANDBY-6-STATECHANGE: Vlan10 Group 1 state
> Standby -> Active 
> Dec 12 15:40:24.564 CCT: %STANDBY-6-STATECHANGE: Vlan10 Group 1 state
> Active -> Speak 

Are there any logs messages before this? Something must've placed the
switch in standby mode for HSRP group 1 on VLAN 10.

The above commands would be normal if VLAN10 changed from "line protocol
down" to "line protocol up". It wasn't bumped like that?

Any aggressive timers that could make the HSRP unstable?

Regards,
Peter



From RTeller at deltadentalwa.com  Thu Dec 18 09:43:46 2008
From: RTeller at deltadentalwa.com (Teller, Robert)
Date: Thu, 18 Dec 2008 06:43:46 -0800
Subject: [c-nsp] STP or HSRP problem ?
In-Reply-To: <BAY126-DS4C71B9DAAE36665274AB3BAF30@phx.gbl>
References: <BAY126-DS4C71B9DAAE36665274AB3BAF30@phx.gbl>
Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC01A30@tiger.deltadentalwa.com>

This appears to be related to hsrp. What is the exact problem your
having, do your users report loss of connectivity momentarily or are you
just looking in your log file and see this entry. It's hard to say
without see your config what the problem is.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jack
Sent: Wednesday, December 17, 2008 10:58 PM
To: cisco netpro
Subject: [c-nsp] STP or HSRP problem ?

Hi,

anyone who has experienced or encountered this ?

HSRP configuration has no problem and root bridge as well.

but this logs only happened in Sw1. whereby sw2 has no suspicious error
symptom found. 

Dec 12 15:40:24.556 CCT: %STANDBY-6-STATECHANGE: Vlan10 Group 1 state
Standby -> Active 
Dec 12 15:40:24.564 CCT: %STANDBY-6-STATECHANGE: Vlan10 Group 1 state
Active -> Speak 


Regards,
Jack

#########################################################
The information contained in this e-mail and subsequent attachments may be privileged, 
confidential and protected from disclosure.  This transmission is intended for the sole 
use of the individual and entity to whom it is addressed.  If you are not the intended 
recipient, any dissemination, distribution or copying is strictly prohibited.  If you 
think that you have received this message in error, please e-mail the sender at the above 
e-mail address.
#########################################################


From Marcus.Gerdon at versatel.de  Thu Dec 18 08:37:50 2008
From: Marcus.Gerdon at versatel.de (Marcus.Gerdon)
Date: Thu, 18 Dec 2008 14:37:50 +0100
Subject: [c-nsp] 32 bit ASN
Message-ID: <9F66B1E4971A064794AF6AB952A3ADDD054C59A0@VTSVEXCH01.versatel.local>

Hi,

I just checked the info I have -> 2nd source says SXJ ... so supposedly that one with a time frame was a typo and meant to be SXJ.


regards,

Marcus

----------------------------------------------------------------------------------------
Systemtechnik Internet / Internet Engineering

Versatel West GmbH

Unterste-Wilms-Strasse 29
D-44143 Dortmund

Fon: +49-(0)231-399-4486 | Fax: +49-(0)231-399-4491
marcus.gerdon at versatel.de | www.versatel.de

Sitz der Gesellschaft: Essen, Registergericht: Essen HRB 19502
Gesch?ftsf?hrer: Marc L?tzenkirchen, Peer Knauer, Dr. Hai Cheng, Dr. Christian Schemann
----------------------------------------------------------------------------------------
 AS8881 / AS8638 / AS13270 | MG3031-RIPE
----------------------------------------------------------------------------------------
 

> -----Urspr?ngliche Nachricht-----
> Von: Gert Doering [mailto:gert at greenie.muc.de] 
> Gesendet: Donnerstag, 18. Dezember 2008 14:35
> An: Antonio Soares
> Cc: Marcus.Gerdon; cisco-nsp at puck.nether.net
> Betreff: Re: [c-nsp] 32 bit ASN
> 
> Hi,
> 
> On Thu, Dec 18, 2008 at 12:51:26PM -0000, Antonio Soares wrote:
> > 12.2SXI for the 6500 is already available. So i suppose it 
> is the first IOS that supports this feature.
> 
> It doesn't.  Maybe planned for a later rebuild of SXI.
> 
> gert
> -- 
> USENET is *not* the non-clickable part of WWW!
>                                                            
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany                             
> gert at greenie.muc.de
> fax: +49-89-35655025                        
> gert at net.informatik.tu-muenchen.de
> 

From gulerozgur at yahoo.co.uk  Thu Dec 18 10:14:45 2008
From: gulerozgur at yahoo.co.uk (Ozgur Guler)
Date: Thu, 18 Dec 2008 15:14:45 +0000 (GMT)
Subject: [c-nsp] STP or HSRP problem ?
In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC01A30@tiger.deltadentalwa.com>
Message-ID: <786938.99826.qm@web25503.mail.ukl.yahoo.com>


Have you done a "write mem" or any configuration change just prior to this?
Do you have any throttles on this interface?


--- On Thu, 18/12/08, Teller, Robert <RTeller at deltadentalwa.com> wrote:
From: Teller, Robert <RTeller at deltadentalwa.com>
Subject: Re: [c-nsp] STP or HSRP problem ?
To: "Jack" <ney25 at hotmail.com>, "cisco netpro" <cisco-nsp at puck.nether.net>
Date: Thursday, 18 December, 2008, 2:43 PM

This appears to be related to hsrp. What is the exact problem your
having, do your users report loss of connectivity momentarily or are you
just looking in your log file and see this entry. It's hard to say
without see your config what the problem is.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jack
Sent: Wednesday, December 17, 2008 10:58 PM
To: cisco netpro
Subject: [c-nsp] STP or HSRP problem ?

Hi,

anyone who has experienced or encountered this ?

HSRP configuration has no problem and root bridge as well.

but this logs only happened in Sw1. whereby sw2 has no suspicious error
symptom found. 

Dec 12 15:40:24.556 CCT: %STANDBY-6-STATECHANGE: Vlan10 Group 1 state
Standby -> Active 
Dec 12 15:40:24.564 CCT: %STANDBY-6-STATECHANGE: Vlan10 Group 1 state
Active -> Speak 


Regards,
Jack

#########################################################
The information contained in this e-mail and subsequent attachments may be
privileged, 
confidential and protected from disclosure.  This transmission is intended for
the sole 
use of the individual and entity to whom it is addressed.  If you are not the
intended 
recipient, any dissemination, distribution or copying is strictly prohibited. 
If you 
think that you have received this message in error, please e-mail the sender at
the above 
e-mail address.
#########################################################

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



      

From charlie at playlouder.com  Thu Dec 18 10:52:19 2008
From: charlie at playlouder.com (Charlie Allom)
Date: Thu, 18 Dec 2008 15:52:19 +0000
Subject: [c-nsp] STP or HSRP problem ?
In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC01A30@tiger.deltadentalwa.com>
References: <BAY126-DS4C71B9DAAE36665274AB3BAF30@phx.gbl>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC01A30@tiger.deltadentalwa.com>
Message-ID: <20081218155219.GK269@eatyourpets.com>

On Thu, Dec 18, 2008 at 06:43:46AM -0800, Teller, Robert wrote:
> This appears to be related to hsrp. What is the exact problem your
> having, do your users report loss of connectivity momentarily or are you
> just looking in your log file and see this entry. It's hard to say
> without see your config what the problem is.

I get this often on ISR routers with high CPU (2821's)

Depending on how long it lasts it can knock out streaming but that's
about all that notices.

  C.
-- 
 020 7729 4797
 http://blog.playlouder.com/

From ecables at gmail.com  Thu Dec 18 11:11:15 2008
From: ecables at gmail.com (Eric Cables)
Date: Thu, 18 Dec 2008 08:11:15 -0800
Subject: [c-nsp] Any good filters for syslog output
In-Reply-To: <a24358fb0812180402g197a9ae0r5a8e0f2df84f2246@mail.gmail.com>
References: <200812172054.mBHKs1iY055902@vjofn.tucs-beachin-obx-house.com>
	<2C05E949E19A9146AF7BDF9D44085B863514034B6B@exchange.aoihq.local>
	<a24358fb0812180402g197a9ae0r5a8e0f2df84f2246@mail.gmail.com>
Message-ID: <d5c7ccac0812180811g6611935fie91bf57b7f24e7d1@mail.gmail.com>

I've been using swatch for a couple of years now, and have been pretty happy
with it (I used CiscoWorks' built-in syslog analyzer before, yuck!).  I have
had ambitions to test out SEC (Simple Event Correlator), which appears to
still be developed (not sure if I've seen a swatch update since I started
using it), but I just haven't had the time to do so.

For those who have used both swatch & SEC, do you have any arguments for
switching to SEC?

-- Eric Cables


On Thu, Dec 18, 2008 at 4:02 AM, William <willay at gmail.com> wrote:

> We use a combo of syslog-ng+swatch for our filtering which can do
> quite a lot for free, any more tips on what messages people are
> looking for on Cisco networks would be appreciated.
>
> Cheers,
>
> W
>
> 2008/12/18 Eric Van Tol <eric at atlantech.net>:
> >> -----Original Message-----
> >> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> >> bounces at puck.nether.net] On Behalf Of Tuc at T-B-O-H
> >> Sent: Wednesday, December 17, 2008 3:54 PM
> >> To: cisco-nsp at puck.nether.net
> >> Subject: [c-nsp] Any good filters for syslog output
> >>
> >> Hi,
> >>
> >>       We are going to be monitoring the syslog output (We already have
> >> a product (Zenoss)). Does anyone know of a repository of the "Watch
> >> for these regular expressions" to decide what is worth looking into, and
> >> whats worth ignoring.
> >>
> >>               Thanks, Tuc
> >
> > If you're looking for a supported, proprietary product, check out
> Solarwinds Orion - much more than just a syslog repository, though.  You are
> able to store syslogs in a SQL database, create rules for syslogs based upon
> source IP, source hostname, message type (%LINK-4-ERROR, etc.), and message
> contents.  You can also do fancy things like forward the syslog to another
> syslog server, send an email/page, modify the message, and do time-of-day
> rules.  On the downside, if all you need is a syslog server, you have to pay
> for the entire Orion suite, which is pretty expensive.
> >
> > -evt
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From christian at zengl.net  Thu Dec 18 11:55:37 2008
From: christian at zengl.net (Christian Zeng)
Date: Thu, 18 Dec 2008 17:55:37 +0100
Subject: [c-nsp] Any good filters for syslog output
In-Reply-To: <d5c7ccac0812180811g6611935fie91bf57b7f24e7d1@mail.gmail.com>
References: <200812172054.mBHKs1iY055902@vjofn.tucs-beachin-obx-house.com>
	<2C05E949E19A9146AF7BDF9D44085B863514034B6B@exchange.aoihq.local>
	<a24358fb0812180402g197a9ae0r5a8e0f2df84f2246@mail.gmail.com>
	<d5c7ccac0812180811g6611935fie91bf57b7f24e7d1@mail.gmail.com>
Message-ID: <20081218165537.GA8830@zengl.net>

Hi,

* Eric Cables <ecables at gmail.com> wrote:
>I've been using swatch for a couple of years now, and have been pretty happy
>with it (I used CiscoWorks' built-in syslog analyzer before, yuck!).  I have
>had ambitions to test out SEC (Simple Event Correlator), which appears to
>still be developed (not sure if I've seen a swatch update since I started
>using it), but I just haven't had the time to do so.
>
>For those who have used both swatch & SEC, do you have any arguments for
>switching to SEC?

We are using SEC since 4 years in production, it has been proven as a
stable and a very powerful event correlation tool.

Back then, I looked also into swatch. SEC made it because it allowed me
to work with context-based events. This means when one event occurs, you
can create a context, allowing other event rules to become active.

There are tons of use cases I can think of. Event suppression, for
example in case of a STP topology trap was logged. Watchdog solutions,
like noticing an adjacency went down and starting a timer to check
whether it came back or not. Or even complex aggregation rules, like
collecting information about traffic behavior (ACL hits/IDS logs),
correlating up to a point where you can make sense out of the noise
(what MARS does; simpler, but free).

I am certain that some of this can be done with swatch, but more complex
scenarios require to have some persistent relation between events, and I
think this cannot be done with swatch.

Kind regards,


Christian

From spencer at ceiva.com  Thu Dec 18 11:59:42 2008
From: spencer at ceiva.com (Spencer Barnes)
Date: Thu, 18 Dec 2008 08:59:42 -0800
Subject: [c-nsp] Cisco 7206 - High CPU Utilization
In-Reply-To: <alpine.DEB.1.10.0812172011130.7856@uplift.swm.pp.se>
References: <0BE527EE61205F409B0EDB4F6544552E01BE20D4@stewie.ceiva.local><4948B693.6000908@infopact.nl>
	<0BE527EE61205F409B0EDB4F6544552E01BE21A5@stewie.ceiva.local>
	<FA1BA229357DB640B944218F3585FECA01BF9A01@mspe2k1.cs.myharris.net>
	<0BE527EE61205F409B0EDB4F6544552E01BE21C6@stewie.ceiva.local>
	<alpine.DEB.1.10.0812172011130.7856@uplift.swm.pp.se>
Message-ID: <0BE527EE61205F409B0EDB4F6544552E01BE2314@stewie.ceiva.local>

Thanks for the suggestion, unfortunately it didn't have an impact on the
CPU utilization.  

I received this suggestion as well:

" If you run AES instead you'll massively reduce your CPU utilization.
I'd suggest a G1 at least for what you're doing. An 1811 would probably
run better than this router because the processor is at least somewhat
designed to handle what you're doing."

It helped reduce utilization on the VPN process by about 20% but I'm
still seeing high CPU utilization when uploading from our network and I
should have mentioned that the border router with the high CPU
utilization is connected to another Cisco 7206 with a lesser NPE-200.
All the same traffic flowing through the border router is going through
the core so you'd think it would exhibit the high CPU utilization but it
never breaks a sweat.  This seems important and seems to indicate the
border router is having a problem?  

I'm thinking downgrade the IOS on the border router ((C7200-JK9O3S-M),
Version 12.4(21)) to match the core ((C7200-IK9S-M), Version
12.3(14)T7).  Perhaps the newer IOS with the bigger feature set is too
much for the border router?

If that doesn't work I'd also be curious to see what would happen if I
moved the T3 card to the core router and see if the CPU utilization goes
up on it but I can't do that until after the holidays.  

I've followed Cisco's guide to troubleshooting high IP input utilization
and I can't think of anything else to do configuration wise on the
border router.  Thanks for all the help from everyone so far, it is very
much appreciated.

Spencer


-----Original Message-----
From: Mikael Abrahamsson [mailto:swmike at swm.pp.se] 
Sent: Wednesday, December 17, 2008 11:13 AM
To: Spencer Barnes
Cc: Church, Charles; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco 7206 - High CPU Utilization

On Wed, 17 Dec 2008, Spencer Barnes wrote:

> I removed all ACLs and Netflow but that did not have an effect.  I
think
> I can move NAT to the core router for testing purposes, I'll try and
do
> that tomorrow morning.  IOS version is (C7200-JK9O3S-M), Version
> 12.4(21).

If you're tunneling over 1500 media, doing "ip tcp mss-adjust 1300" on
the 
interface where the traffic to encrypt/tunnel is passing 
unencrypted/untunneled, might help you. Worth a try though, you don't
want 
multiple tunnel/encrypted packets per packet in the VPN.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From Moens at carrier2carrier.com  Thu Dec 18 12:02:28 2008
From: Moens at carrier2carrier.com (Martin Moens)
Date: Thu, 18 Dec 2008 18:02:28 +0100
Subject: [c-nsp] Any good filters for syslog output
In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B863514034B6B@exchange.aoihq.local>
Message-ID: <42F0C766A9A8DB47B5E86CA64738DC8B01905D9B@bilbo.bdhz.c2c.local>

Eric Van Tol <> wrote:
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
>> bounces at puck.nether.net] On Behalf Of Tuc at T-B-O-H
>> Sent: Wednesday, December 17, 2008 3:54 PM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] Any good filters for syslog output
>> 
>> Hi,
>> 
>> 	We are going to be monitoring the syslog output (We already have
>> a product (Zenoss)). Does anyone know of a repository of the "Watch
>> for these regular expressions" to decide what is worth looking into,
>> and whats worth ignoring. 
>> 
>> 		Thanks, Tuc
> 
> If you're looking for a supported, proprietary product, check out
> Solarwinds Orion - much more than just a syslog repository, though. 
> You are able to store syslogs in a SQL database, create rules for
> syslogs based upon source IP, source hostname, message type
> (%LINK-4-ERROR, etc.), and message contents.  You can also do fancy
> things like forward the syslog to another syslog server, send an
> email/page, modify the message, and do time-of-day rules.  On the
> downside, if all you need is a syslog server, you have to pay for the
> entire Orion suite, which is pretty expensive.        
> 
> -evt

For those using a windows server for syslog, sl4nt
(http://www.netal.com/sl4nt.htm) is a very flexible (and not expensive)
option. It as well has al above mentioned options.

Martin
 

From lee.e.rian at census.gov  Thu Dec 18 12:25:00 2008
From: lee.e.rian at census.gov (lee.e.rian at census.gov)
Date: Thu, 18 Dec 2008 12:25:00 -0500
Subject: [c-nsp] Any good filters for syslog output
In-Reply-To: <a24358fb0812180402g197a9ae0r5a8e0f2df84f2246@mail.gmail.com>
References: <200812172054.mBHKs1iY055902@vjofn.tucs-beachin-obx-house.com>	<2C05E949E19A9146AF7BDF9D44085B863514034B6B@exchange.aoihq.local>,
	<a24358fb0812180402g197a9ae0r5a8e0f2df84f2246@mail.gmail.com>
Message-ID: <OF2DDA9082.2BBA920D-ON85257523.005FAC55-85257523.005FAC63@census.gov>

-----William <willay at gmail.com> wrote: -----

>We use a combo of syslog-ng+swatch for our filtering which can do
>quite a lot for free, any more tips on what messages people are
>looking for on Cisco networks would be appreciated.

Here's my list of syslog msgs that I've either missed or wished that I'd
looked at sooner:

# send another mail msg just for major problems/issues
#
/usr/bin/grep FALLBACK $LF > /usr/local/majormsgs

 # grep summary file - only need one line, not 100s
/usr/bin/grep "%ENVM-4-ENVWARN" /usr/local/nmsrtr.log >>
/usr/local/majormsgs

/usr/bin/grep "%ENVMON-" /usr/local/nmsrtr.log >> /usr/local/majormsgs
  # get things like %ENVMON-3-FAN_FAILED: Fan 1 not rotating

/usr/bin/grep "%SYS-2-SUP_TEMP" /usr/local/nmsrtr.log >>
  /usr/local/majormsgs
  # gets both %SYS-2-SUP_TEMPMINORFAIL and %SYS-2-SUP_TEMPOK

/usr/bin/grep LCPERR          /usr/local/nmsrtr.log >> /usr/local/majormsgs

/usr/bin/grep "asic invalid"  /usr/local/nmsrtr.log >> /usr/local/majormsgs

/usr/bin/grep "ERR_DISABLE"   /usr/local/nmsrtr.log >> /usr/local/majormsgs
  # %PM-SP-4-ERR_DISABLE: packet-buffer error detected on Gi8/1, putting
  Gi8/1 in err-disable state

/usr/bin/grep "FIB"           /usr/local/nmsrtr.log >> /usr/local/majormsgs
  # %MLSCEF-SP-7-FIB_EXCEPTION: FIB TCAM exception, Some entries will be
  software switched

/usr/bin/grep "IKMP_INVAL_CERT" /usr/local/nmsrtr.log >>
  /usr/local/majormsgs
  # %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from xx.xx.xx.xx is
  bad: CA request failed!

/usr/bin/grep "IKMP_MODE_FAILURE" /usr/local/nmsrtr.log >>
  /usr/local/majormsgs
  # %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer
  at xx.xx.xx.xx

/usr/bin/grep "IKMP_QUERY_KEY" /usr/local/nmsrtr.log >>
  /usr/local/majormsgs
  # %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.

/usr/bin/grep "MALLOCFAIL"    /usr/local/nmsrtr.log >> /usr/local/majormsgs
  # %SYS-2-MALLOCFAIL: Memory allocation of 259648 bytes failed from
  0x4154D734, alignment 8

/usr/bin/grep "NOPOWERAVAIL" /usr/local/nmsrtr.log >> /usr/local/majormsgs
  # %SYS-3-PORT_NOPOWERAVAIL:Device on port 4/47 is denied power because
  either system ran out of power or module limit reached

/usr/bin/grep "PINNACLE"      /usr/local/nmsrtr.log >> /usr/local/majormsgs
  # %PM_SCP-SP-2-LCP_FW_ERR_INFORM: Module 8 is experiencing the following
  error: Transient port ASIC (PINNACLE) packet buffer parity error detected
  on ports  1, 3, 5, 7,

/usr/bin/grep "TCAM"          /usr/local/nmsrtr.log >> /usr/local/majormsgs
  # %ACL-5-TCAMFULL

/usr/bin/grep "TAC-7-CONNERR" /usr/local/nmsrtr.log >> /usr/local/majormsgs
  # %TAC-7-CONNERR:Socket connection error to x.x.x.x


Regards,
Lee




>
>Cheers,
>
>W
>
>2008/12/18 Eric Van Tol <eric at atlantech.net>:
>>> -----Original Message-----
>>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
>>> bounces at puck.nether.net] On Behalf Of Tuc at T-B-O-H
>>> Sent: Wednesday, December 17, 2008 3:54 PM
>>> To: cisco-nsp at puck.nether.net
>>> Subject: [c-nsp] Any good filters for syslog output
>>>
>>> Hi,
>>>
>>>       We are going to be monitoring the syslog output (We already
>have
>>> a product (Zenoss)). Does anyone know of a repository of the
>"Watch
>>> for these regular expressions" to decide what is worth looking
>into, and
>>> whats worth ignoring.
>>>
>>>               Thanks, Tuc
>>
>> If you're looking for a supported, proprietary product, check out
>Solarwinds Orion - much more than just a syslog repository, though.
>You are able to store syslogs in a SQL database, create rules for
>syslogs based upon source IP, source hostname, message type
>(%LINK-4-ERROR, etc.), and message contents.  You can also do fancy
>things like forward the syslog to another syslog server, send an
>email/page, modify the message, and do time-of-day rules.  On the
>downside, if all you need is a syslog server, you have to pay for the
>entire Orion suite, which is pretty expensive.
>>
>> -evt
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/


From jml at packetpimp.org  Thu Dec 18 12:03:46 2008
From: jml at packetpimp.org (Jason LeBlanc)
Date: Thu, 18 Dec 2008 12:03:46 -0500
Subject: [c-nsp] Any good filters for syslog output
In-Reply-To: <20081218165537.GA8830@zengl.net>
References: <200812172054.mBHKs1iY055902@vjofn.tucs-beachin-obx-house.com>	<2C05E949E19A9146AF7BDF9D44085B863514034B6B@exchange.aoihq.local>	<a24358fb0812180402g197a9ae0r5a8e0f2df84f2246@mail.gmail.com>	<d5c7ccac0812180811g6611935fie91bf57b7f24e7d1@mail.gmail.com>
	<20081218165537.GA8830@zengl.net>
Message-ID: <494A8272.60201@packetpimp.org>

The other nice thing about SEC is that it can handle a busy log server 
without nuking the cpu.  You can get pretty crazy with it too in terms 
of complexity.

Christian Zeng wrote:
> Hi,
>
> * Eric Cables <ecables at gmail.com> wrote:
>   
>> I've been using swatch for a couple of years now, and have been pretty happy
>> with it (I used CiscoWorks' built-in syslog analyzer before, yuck!).  I have
>> had ambitions to test out SEC (Simple Event Correlator), which appears to
>> still be developed (not sure if I've seen a swatch update since I started
>> using it), but I just haven't had the time to do so.
>>
>> For those who have used both swatch & SEC, do you have any arguments for
>> switching to SEC?
>>     
>
> We are using SEC since 4 years in production, it has been proven as a
> stable and a very powerful event correlation tool.
>
> Back then, I looked also into swatch. SEC made it because it allowed me
> to work with context-based events. This means when one event occurs, you
> can create a context, allowing other event rules to become active.
>
> There are tons of use cases I can think of. Event suppression, for
> example in case of a STP topology trap was logged. Watchdog solutions,
> like noticing an adjacency went down and starting a timer to check
> whether it came back or not. Or even complex aggregation rules, like
> collecting information about traffic behavior (ACL hits/IDS logs),
> correlating up to a point where you can make sense out of the noise
> (what MARS does; simpler, but free).
>
> I am certain that some of this can be done with swatch, but more complex
> scenarios require to have some persistent relation between events, and I
> think this cannot be done with swatch.
>
> Kind regards,
>
>
> Christian
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   


From lukasz at bromirski.net  Thu Dec 18 18:51:09 2008
From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=)
Date: Fri, 19 Dec 2008 00:51:09 +0100
Subject: [c-nsp] Cisco 7206 - High CPU Utilization
In-Reply-To: <0BE527EE61205F409B0EDB4F6544552E01BE2314@stewie.ceiva.local>
References: <0BE527EE61205F409B0EDB4F6544552E01BE20D4@stewie.ceiva.local><4948B693.6000908@infopact.nl>	<0BE527EE61205F409B0EDB4F6544552E01BE21A5@stewie.ceiva.local>	<FA1BA229357DB640B944218F3585FECA01BF9A01@mspe2k1.cs.myharris.net>	<0BE527EE61205F409B0EDB4F6544552E01BE21C6@stewie.ceiva.local>	<alpine.DEB.1.10.0812172011130.7856@uplift.swm.pp.se>
	<0BE527EE61205F409B0EDB4F6544552E01BE2314@stewie.ceiva.local>
Message-ID: <494AE1ED.9030708@bromirski.net>

On 2008-12-18 17:59, Spencer Barnes wrote:

> It helped reduce utilization on the VPN process by about 20% but I'm
> still seeing high CPU utilization when uploading from our network and
> I should have mentioned that the border router with the high CPU
> utilization is connected to another Cisco 7206 with a lesser
> NPE-200. All the same traffic flowing through the border router is
> going through the core so you'd think it would exhibit the high CPU
> utilization but it never breaks a sweat.  This seems important and
> seems to indicate the border router is having a problem?

For VPNs on 7200 there are SA-VAMs which offload crypto to
hardware - it was mentioned already in this and in the past threads.

Also, there was a suggestion to do MSS adjust on internal interface
accepting the traffic to be encrypted, to minimze chances of hitting
fragmentation, which will kill CPU right away. You didn't mentioned
it in this mail - were You capable of making this change?

The high IP Input process means something is processed in
software switching, not CEF switching - so either some of the
features (You mention other, smaller NPE doing fine with the
traffic, which strongly suggests services are the key), or the
12.4(21) isn't the right choice - and you should stick with 12.3(14)T7.

One way or the other - don't do a VPNs on border 7200 without VAMs.
And even with them - look for ASA, or ISR with VPN hardware to do
the offload without threatening the stability of the border platform.

-- 
"Don't expect me to cry for all the     |               ?ukasz Bromirski
  reasons you had to die" -- Kurt Cobain |    http://lukasz.bromirski.net

From ariemer at wesenergy.com.au  Thu Dec 18 22:00:44 2008
From: ariemer at wesenergy.com.au (Aaron Riemer)
Date: Fri, 19 Dec 2008 12:00:44 +0900
Subject: [c-nsp] 1751 no flash directory
Message-ID: <0867622C64B50C4B878AB45C95F43F11065EC035@MAILWA01.wesenergy.local>

Hey guys,
 
I have this 1751 router that I am having issues with. For some reason
when I do a 'show version' it doesn't list the flash memory and when I
do a dir flash: the directory doesn't exist! However when going into
rommon mode a dir flash: shows the flash fine but doesn't indicate the
size of the flash i.e. bytes available. I have set the configuration
register properly (0x2102) and cleared the configuration but still it
will not list the flash in a normal boot. I was thinking I could just
tftp a new flash to the system via rommon mode and tftpdnld but I have
no idea how much memory the flash has!
 
Any hints?
 
Thanks,
 
Aaron.

LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

From hank at efes.iucc.ac.il  Fri Dec 19 00:02:50 2008
From: hank at efes.iucc.ac.il (Hank Nussbacher)
Date: Fri, 19 Dec 2008 07:02:50 +0200 (IST)
Subject: [c-nsp] So you think you know Cisco
Message-ID: <Pine.LNX.4.64.0812190701060.19440@efes.iucc.ac.il>

http://www.networkworld.com/slideshows/2008/121808-cisco-quiz.html?netht=rn_121808&nladname=121808

-Hank

From td_miles at yahoo.com  Fri Dec 19 00:32:09 2008
From: td_miles at yahoo.com (Tony)
Date: Thu, 18 Dec 2008 21:32:09 -0800 (PST)
Subject: [c-nsp] 3550 routing performance
Message-ID: <776543.81899.qm@web110112.mail.gq1.yahoo.com>

Hi all,

Apologies in advance for the long post, I'm hoping to cover off some of the obvious questions and show that I have at least tried to answer this myself.

I've been doing some testing with a 3550 and I am getting some strange performance results. I start with a totally blank config and then add the following:

interface FastEthernet0/13
 no switchport
 ip address 192.168.1.254 255.255.255.0
!
interface FastEthernet0/14
 no switchport
 ip address 192.168.40.254 255.255.255.0
!

I have PC1 with IP 192.168.1.200 connected directly to fa0/13 running an FTP server.
I have PC2 with IP 192.168.40.100 connected directly to fa0/14.

If I FTP a file from PC2 to PC1 I get speeds of 97Mbps (near enough to wire speed of 100Mbps). Nice.

I then change the config so that the interfaces are in a VRF, like this:

ip vrf test1
 description test1 vrf
 rd 100:1
!
interface FastEthernet0/13
 no switchport
 ip vrf forwarding test1
 ip address 192.168.1.254 255.255.255.0
!
interface FastEthernet0/14
 no switchport
 ip vrf forwarding test1
 ip address 192.168.40.254 255.255.255.0
!

Testing using the FTP transfer again I get an average transfer speed of around 14Mbps (not so nice).

Ok I think to myself, the VRF stuff is causing issues. So I remove all of the VRF (delete the VRF, delete it from the interfaces, add IP addresses again to interfaces). Once I've done this, I test the FTP again, still 14Mbps. The only way I can get it to go back up to 100Mbps is to reboot the switch..

I tried this on a number of different IOS versions and they all showed the same issue:
c3550-ipservicesk9-mz.122-37.SE.bin 
c3550-ipbasek9-mz.122-25.SED.bin 
c3550-ipservices-mz.122-25.SEE4.bin 
c3550-ipservices-mz.122-44.SE3.bin
c3550-i5q3l2-mz.121-22.EA10b.bin

I then thought that maybe it's doing something strange with VRF's so I will test it with VLAN routing. Reboot the switch, and then put this config on it:

interface vlan13
 ip address 192.168.1.254 255.255.255.0
 no shut
!
interface vlan14
 ip address 192.168.40.254 255.255.255.0
 no shut
!
interface FastEthernet0/13
 switchport
 switchport mode access
 switchport access vlan 13
!
interface FastEthernet0/14
 switchport
 switchport mode access
 switchport access vlan 14
!

I get the same results, transfer speed of around 14Mbps (that's an average too, it bounces around between 8-26Mbps). If I remove the VLAN config and go back to IP addresses directly on the interfaces I have the same issue, the speed doesn't go back up at all, but stays at 14Mbps until reboot.

I have also tried this on another 3550, just to make sure it wasn't something broken in one switch.

What I am trying to achieve is routing between two subnets that are connected to two interfaces in a VRF. I need it to be in a VRF as I have two lots of connections coming into the 3550 (ie. four interfaces). One is for WAN traffic (one set of two interfaces & subnets in one VRF), one for Internet traffic (2nd set of two interfaces & subnets in 2nd VRF). Hopefully that makes sense ?

>From this Cisco doc:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_seb/configuration/guide/swiprout.html#wp1206101

"Multi-VRF CE does not affect the packet switching rate."


Am I missing something simple ? I'm open to any suggestions and am happy to test things and report back with the results (may not be till after weekend though).


Thanks,
Tony.



      


From lists at daniels.id.au  Fri Dec 19 02:08:49 2008
From: lists at daniels.id.au (Aaron Daniels - Lists)
Date: Fri, 19 Dec 2008 17:08:49 +1000
Subject: [c-nsp] MPLS-VPN migration
In-Reply-To: <01d401c960e8$6bc17710$43446530$@id.au>
References: <9e246b4d0812170754y464d5aabmcda35c45948b3c65@mail.gmail.com>
	<01d401c960e8$6bc17710$43446530$@id.au>
Message-ID: <00d101c961a8$a6858ce0$f390a6a0$@id.au>

I have had a few requests for this so I thought i'd put it on-list.

Thanks,
Aaron Daniels


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Aaron Daniels - Lists
> Sent: Thursday, 18 December 2008 6:13 PM
> To: 'Tim Durack'; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] MPLS-VPN migration
> 
> We just tackled this one in our organisation.
> 
> 2 Gotchas.
> 
> 1. Router-id must be different between peers, make sure your code
> supports
> vrf specific router-id.
> 2. iBGP was very messy IMHO, so we went with eBGP using local-as to
> have
> each vrf appear to be a different 65xxx AS
> 
> I can sent you my lab config's tomorrow.
> 
> Thanks,
> Aaron
> 
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > bounces at puck.nether.net] On Behalf Of Tim Durack
> > Sent: Thursday, 18 December 2008 1:54 AM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] MPLS-VPN migration
> >
> > Looking for some "creative" ideas on how best to accomplish this:
> >
> > We are migrating a traditional enterprise-style IP network to an
> > MPLS-VPN network. All the infrastructure MPLS/IGP/MP-BGP work is
> > essentially done (it's a purely PE-PE network, no P routers
> anywhere.)
> >
> > All "customer" networks are still in the global table. I need to
> > migrate them into VPN groups, but maintain full reachability between
> > global and VRFs during the migration. Route-leaking will be
> configured
> > between VRFs, and at a later stage some kind of firewall will be
> > employed between VPNs. The hard part is getting everything into the
> > VPNs first (without anyone noticing too much :-)
> >
> > Ideally I'd like to bring up BGP sessions between the global table
> and
> > VRFs on each PE. I notice I can do BGP sessions between VRFs, but
> > can't quite wrap my head around global->VRF BGP. Is this even
> > possible?
> >
> > Thanks for thinking about it.
> >
> > Tim:>
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: VRF BGP Edge.txt
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081219/1f52a56a/attachment.txt>

From lukasz at bromirski.net  Fri Dec 19 02:39:20 2008
From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=)
Date: Fri, 19 Dec 2008 08:39:20 +0100
Subject: [c-nsp] 3550 routing performance
In-Reply-To: <776543.81899.qm@web110112.mail.gq1.yahoo.com>
References: <776543.81899.qm@web110112.mail.gq1.yahoo.com>
Message-ID: <494B4FA8.5060803@bromirski.net>

On 2008-12-19 06:32, Tony wrote:

> If I FTP a file from PC2 to PC1 I get speeds of 97Mbps (near enough
> to wire speed of 100Mbps). Nice. I then change the config so that the
> interfaces are in a VRF, like this: Testing using the FTP transfer
> again I get an average transfer speed of around 14Mbps (not so
> nice).

My wild guess would be to check for extended-match in sdm template:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_seb/configuration/guide/swiprout.html#wp1213867

Change that, reboot the switch and then do again the tests for
interfaces in VRF. As for the other tests with routing over SVIs -
very strange :) as 3550 is routing in hardware.

-- 
"Don't expect me to cry for all the     |               ?ukasz Bromirski
  reasons you had to die" -- Kurt Cobain |    http://lukasz.bromirski.net

From td_miles at yahoo.com  Fri Dec 19 03:01:12 2008
From: td_miles at yahoo.com (Tony)
Date: Fri, 19 Dec 2008 00:01:12 -0800 (PST)
Subject: [c-nsp] 3550 routing performance
In-Reply-To: <6E31172B4025564D861CD73627500BAC02E2FB18@pru-mail02.pe.net>
Message-ID: <179880.89758.qm@web110114.mail.gq1.yahoo.com>


I should have included that in my original post, I had already set SDM to routing extended-match. If you don't you get a warning when you add a VRF to prompt you to do it.

Unfortunately not something that obvious.

=====
Switch#sho sdm prefer
 The current template is the routing extended-match template.
=====


regards,
Tony.

--- On Fri, 19/12/08, Tolstykh, Andrew <ATolstykh at integrysgroup.com> wrote:

> From: Tolstykh, Andrew <ATolstykh at integrysgroup.com>
> Subject: RE: [c-nsp] 3550 routing performance
> To: td_miles at yahoo.com
> Date: Friday, 19 December, 2008, 6:20 PM
> Please post the output of "show sdm prefer"
> 


      


From erik at infopact.nl  Fri Dec 19 04:27:45 2008
From: erik at infopact.nl (E. Versaevel)
Date: Fri, 19 Dec 2008 10:27:45 +0100
Subject: [c-nsp] 7602VXR NPE-G1
In-Reply-To: <4937E0CB.5030603@infopact.nl>
References: <4937B918.80707@infopact.nl>
	<4937C1FC.7030407@infopact.nl>	<20081204125739.GB18021@srv03.cluenet.de>
	<4937E0CB.5030603@infopact.nl>
Message-ID: <494B6911.2010403@infopact.nl>

E. Versaevel schreef:
> Daniel Roesen schreef:
>> On Thu, Dec 04, 2008 at 12:41:48PM +0100, E. Versaevel wrote:
>>> I've also been looking into the ASR 1000 series as a replacement/expansion.
>>> However it doesn't seem to support PPPoA, that's one major show stopper for us.
>> That's announced for RLS3, expected in january (or so...).
>>
>> Best regards,
>> Daniel
>>
> Daniel,
> 
> Where did you get that information?
> Is there a list of functions/features expected in RLS3 ?
> 
> 
> Erik Versaevel
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

This is what our Cisco contact told me:

PPPoA is on roadmap for mid CY10.
PPPoEoA is targeted for RLS5 (Sep 09).

So totally useless for us :D, who got the bright idea to call this a Aggregation Service Router, i (and most providers over here) can't aggregate
my/our users on it as the majority of DSL providers use either PPPoA or PPPoE(oA).


Erik Versaevel

From rodunn at cisco.com  Fri Dec 19 10:17:48 2008
From: rodunn at cisco.com (Rodney Dunn)
Date: Fri, 19 Dec 2008 10:17:48 -0500
Subject: [c-nsp] npe-g2 CsCsk65796
In-Reply-To: <20081206130938.GL844@rtp-cse-489.cisco.com>
References: <493A5409.7050109@global-one.by>
	<20081206130938.GL844@rtp-cse-489.cisco.com>
Message-ID: <20081219151747.GH14325@rtp-cse-489.cisco.com>

Eugene,

I did a little digging on this and it appears there are a couple
of gotchas with this one.

a) Does the boot image you have have the fix for it?
dir bootflash:

If not, we need to get one that does.

b) What code did you upgrade from? From talking with DE, unlcear
   exactly what in the code it is, but just upgrading to the image
   with the fix may not resolve it as the problem was carried over.
   Can you reload it once more on the upgraded image and verify if it
   comes back?

Rodney


gotOn Sat, Dec 06, 2008 at 08:09:38AM -0500, Rodney Dunn wrote:
> Eugene,
> 
> Can you post a 'sh int' and 'sh controller' for the interface?
> 
> And 'sh ver' from the box?
> 
> Rodney
> 
> On Sat, Dec 06, 2008 at 12:29:29PM +0200, Eugene Vedistchev wrote:
> > I wonder if someone else upgraded to 12.2SB train to fix CSCsk65796  ?
> > Bug Details  NPE-G2: all rx frames counted as overruns on built-in gige.
> > 
> > We have upgraded software to 12.2.31SB13 on two routers, reloaded them 
> > and stuck with this
> > bug again.
> > Bug Toolkit provided workaround to powercycle routers.
> > I cannot justify for me, do powercycle with new software get rid this 
> > bug for us, or we encounter another bug or physical failure ?
> > 
> > Eugene Vedistchev
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/

From rodunn at cisco.com  Fri Dec 19 11:12:19 2008
From: rodunn at cisco.com (Rodney Dunn)
Date: Fri, 19 Dec 2008 11:12:19 -0500
Subject: [c-nsp] npe-g2 CsCsk65796
In-Reply-To: <20081219151747.GH14325@rtp-cse-489.cisco.com>
References: <493A5409.7050109@global-one.by>
	<20081206130938.GL844@rtp-cse-489.cisco.com>
	<20081219151747.GH14325@rtp-cse-489.cisco.com>
Message-ID: <20081219161219.GQ14325@rtp-cse-489.cisco.com>

On Fri, Dec 19, 2008 at 10:17:48AM -0500, Rodney Dunn wrote:
> Eugene,
> 
> I did a little digging on this and it appears there are a couple
> of gotchas with this one.
> 
> a) Does the boot image you have have the fix for it?
> dir bootflash:
> 
> If not, we need to get one that does.
> 
> b) What code did you upgrade from? From talking with DE, unlcear
>    exactly what in the code it is, but just upgrading to the image
>    with the fix may not resolve it as the problem was carried over.
>    Can you reload it once more on the upgraded image and verify if it
>    comes back?

I'm asking for more clarification but I think they are implying a hard
power cycle not a remote "reload" via the CLI.


> 
> Rodney
> 
> 
> gotOn Sat, Dec 06, 2008 at 08:09:38AM -0500, Rodney Dunn wrote:
> > Eugene,
> > 
> > Can you post a 'sh int' and 'sh controller' for the interface?
> > 
> > And 'sh ver' from the box?
> > 
> > Rodney
> > 
> > On Sat, Dec 06, 2008 at 12:29:29PM +0200, Eugene Vedistchev wrote:
> > > I wonder if someone else upgraded to 12.2SB train to fix CSCsk65796  ?
> > > Bug Details  NPE-G2: all rx frames counted as overruns on built-in gige.
> > > 
> > > We have upgraded software to 12.2.31SB13 on two routers, reloaded them 
> > > and stuck with this
> > > bug again.
> > > Bug Toolkit provided workaround to powercycle routers.
> > > I cannot justify for me, do powercycle with new software get rid this 
> > > bug for us, or we encounter another bug or physical failure ?
> > > 
> > > Eugene Vedistchev
> > > 
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From justin at justinshore.com  Fri Dec 19 11:26:40 2008
From: justin at justinshore.com (Justin Shore)
Date: Fri, 19 Dec 2008 10:26:40 -0600
Subject: [c-nsp] HWIC-4T1/E1
Message-ID: <494BCB40.7000300@justinshore.com>

Does anyone have any of the new quad-T1 HWICs (HWIC-4T1/E1) in 
production?  I've got some questions for anyone with knowledge of the unit.

http://www.cisco.com/en/US/prod/collateral/modules/ps5949/product_data_sheet0900aecd80710c77.html

Are they configured like the MFTs (with the controller config separate) 
or are they like the WICs (with the service-module config)?

How are the 4 interfaces numbered?  Se0/1/0-4:0?

Are there any special limitations with the HWIC-4T1 that anyone knows 
of?  We'll be doing MLPPP on them and some QoS (possibly spanning 
multiple HWIC-4T1s in a single chassis).  They look to be decent units.

Besides researching them to make sure that they'll work for us, I'm 
writing a template config for them and need to know how they're 
configured and numbered.

Thanks
  Justin

From jsa at aua.auc.dk  Fri Dec 19 08:55:37 2008
From: jsa at aua.auc.dk (Jens S Andersen)
Date: Fri, 19 Dec 2008 14:55:37 +0100 (CET)
Subject: [c-nsp] Problem with LWAP over gre/ipsec
Message-ID: <01N3A4LKY2W48XIEFC@aua.auc.dk>

Hello all

Has anybody on the list tried running LWAP thru a GRE/IPsec tunnel?

People connecting to LWAP access-points on the far end of the GRE/IPsec tunnel
have problems which almost certainly are related to MTU.

My tunnel configuration is:

interface Tunnel2
 ip address xx.xx.xx.xx 255.255.255.254
 ip mtu 1418
 ip tcp adjust-mss 1300
 tunnel source Loopback0
 tunnel destination yy.yy.yy.yy
 tunnel path-mtu-discovery
 crypto map aue-gw2-sdu

The WiSM software is version 5.1.151.0

Reducing the mss-size to 1300 on the relevant SVI on the WiSM switch/router
helps, at least on the tcp sessions.

It seems that PMTU does not work om LWAP/GRE/IPsec?




Jens S Andersen                 Email:  jsa at adm.aau.dk
Aalborg University              Telf:   9940 9464
Selma Lagerl?fs Vej 300, 4.1.03 Fax:    9940 7593
9220 Aalborg
Denmark

From luan at netcraftsmen.net  Fri Dec 19 11:44:02 2008
From: luan at netcraftsmen.net (Luan Nguyen)
Date: Fri, 19 Dec 2008 11:44:02 -0500
Subject: [c-nsp] HWIC-4T1/E1
In-Reply-To: <494BCB40.7000300@justinshore.com>
References: <494BCB40.7000300@justinshore.com>
Message-ID: <006601c961f8$ff6a4cb0$fe3ee610$@net>

controller T1 0/2/0
 cablelength long 0db
 channel-group 1 timeslots 1-24
!
controller T1 0/2/1
 cablelength long 0db
 channel-group 1 timeslots 1-24
!
controller T1 0/2/2
 cablelength long 0db
 channel-group 1 timeslots 1-24
!
controller T1 0/2/3
 cablelength long 0db
 channel-group 1 timeslots 1-24
!
interface Serial0/2/0:1
 ip address negotiated
 ip access-group publicIn in
 ip virtual-reassembly
 encapsulation ppp
 crypto map vpn
!         
interface Serial0/2/1:1
 ip address negotiated
 ip access-group publicIn in
 ip virtual-reassembly
 encapsulation ppp
 crypto map vpn
!
interface Serial0/2/2:1
 ip address negotiated
 ip access-group publicIn in
 ip virtual-reassembly
 encapsulation ppp
 crypto map vpn
!
interface Serial0/2/3:1
 ip address negotiated
 ip access-group publicIn in
 ip virtual-reassembly
 encapsulation ppp
 crypto map vpn

Didn't do a whole lot with QOS...etc, but it looks like any other serial
T1/E1 interfaces.

Regards,

Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore
Sent: Friday, December 19, 2008 11:27 AM
To: 'Cisco-nsp'
Subject: [c-nsp] HWIC-4T1/E1

Does anyone have any of the new quad-T1 HWICs (HWIC-4T1/E1) in 
production?  I've got some questions for anyone with knowledge of the unit.

http://www.cisco.com/en/US/prod/collateral/modules/ps5949/product_data_sheet
0900aecd80710c77.html

Are they configured like the MFTs (with the controller config separate) 
or are they like the WICs (with the service-module config)?

How are the 4 interfaces numbered?  Se0/1/0-4:0?

Are there any special limitations with the HWIC-4T1 that anyone knows 
of?  We'll be doing MLPPP on them and some QoS (possibly spanning 
multiple HWIC-4T1s in a single chassis).  They look to be decent units.

Besides researching them to make sure that they'll work for us, I'm 
writing a template config for them and need to know how they're 
configured and numbered.

Thanks
  Justin
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From paul.cosgrove at heanet.ie  Fri Dec 19 11:58:36 2008
From: paul.cosgrove at heanet.ie (Paul Cosgrove)
Date: Fri, 19 Dec 2008 16:58:36 +0000
Subject: [c-nsp] STP or HSRP problem ?
In-Reply-To: <20081218155219.GK269@eatyourpets.com>
References: <BAY126-DS4C71B9DAAE36665274AB3BAF30@phx.gbl>	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC01A30@tiger.deltadentalwa.com>
	<20081218155219.GK269@eatyourpets.com>
Message-ID: <494BD2BC.6020101@heanet.ie>

Charlie Allom wrote:
> On Thu, Dec 18, 2008 at 06:43:46AM -0800, Teller, Robert wrote:
>   
>> This appears to be related to hsrp. What is the exact problem your
>> having, do your users report loss of connectivity momentarily or are you
>> just looking in your log file and see this entry. It's hard to say
>> without see your config what the problem is.
>>     
>
> I get this often on ISR routers with high CPU (2821's)
>
> Depending on how long it lasts it can knock out streaming but that's
> about all that notices.
>
>   C.

Hi Jack,

There is a Cisco doc about troubleshooting HSRP problems which mentions 
that high CPU can cause HSRP flaps.
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094afd.shtml 


Case Study 7 describes a scenario where two routers are connected to a 
shared stub LAN, with both supporting multicast and running HSRP.  Each 
has a route to a multicast source via another interface.  The DR is 
sending multicast onto the shared LAN, and these are reaching the non-DR 
on a non-RPF interface.  The non-DR may
not have created any state for the group (I guess since the DR is 
handling joins), and so the non-RPF packets are punted to the CPU for 
processing.  The increased CPU causes HSRP state changes on the non 
designated router.  The suggested solution is to use an ACL on the 
standby router to prevent these multicasts being received via the 
multicast DR.

Paul.

From rodunn at cisco.com  Fri Dec 19 12:19:10 2008
From: rodunn at cisco.com (Rodney Dunn)
Date: Fri, 19 Dec 2008 12:19:10 -0500
Subject: [c-nsp] npe-g2 CsCsk65796
In-Reply-To: <20081219161219.GQ14325@rtp-cse-489.cisco.com>
References: <493A5409.7050109@global-one.by>
	<20081206130938.GL844@rtp-cse-489.cisco.com>
	<20081219151747.GH14325@rtp-cse-489.cisco.com>
	<20081219161219.GQ14325@rtp-cse-489.cisco.com>
Message-ID: <20081219171910.GC14325@rtp-cse-489.cisco.com>

Yep...a hard power cycle is needed.

Rodney

On Fri, Dec 19, 2008 at 11:12:19AM -0500, Rodney Dunn wrote:
> On Fri, Dec 19, 2008 at 10:17:48AM -0500, Rodney Dunn wrote:
> > Eugene,
> > 
> > I did a little digging on this and it appears there are a couple
> > of gotchas with this one.
> > 
> > a) Does the boot image you have have the fix for it?
> > dir bootflash:
> > 
> > If not, we need to get one that does.
> > 
> > b) What code did you upgrade from? From talking with DE, unlcear
> >    exactly what in the code it is, but just upgrading to the image
> >    with the fix may not resolve it as the problem was carried over.
> >    Can you reload it once more on the upgraded image and verify if it
> >    comes back?
> 
> I'm asking for more clarification but I think they are implying a hard
> power cycle not a remote "reload" via the CLI.
> 
> 
> > 
> > Rodney
> > 
> > 
> > gotOn Sat, Dec 06, 2008 at 08:09:38AM -0500, Rodney Dunn wrote:
> > > Eugene,
> > > 
> > > Can you post a 'sh int' and 'sh controller' for the interface?
> > > 
> > > And 'sh ver' from the box?
> > > 
> > > Rodney
> > > 
> > > On Sat, Dec 06, 2008 at 12:29:29PM +0200, Eugene Vedistchev wrote:
> > > > I wonder if someone else upgraded to 12.2SB train to fix CSCsk65796  ?
> > > > Bug Details  NPE-G2: all rx frames counted as overruns on built-in gige.
> > > > 
> > > > We have upgraded software to 12.2.31SB13 on two routers, reloaded them 
> > > > and stuck with this
> > > > bug again.
> > > > Bug Toolkit provided workaround to powercycle routers.
> > > > I cannot justify for me, do powercycle with new software get rid this 
> > > > bug for us, or we encounter another bug or physical failure ?
> > > > 
> > > > Eugene Vedistchev
> > > > 
> > > > _______________________________________________
> > > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/

From justin at justinshore.com  Fri Dec 19 12:23:53 2008
From: justin at justinshore.com (Justin Shore)
Date: Fri, 19 Dec 2008 11:23:53 -0600
Subject: [c-nsp] HWIC-4T1/E1
In-Reply-To: <006601c961f8$ff6a4cb0$fe3ee610$@net>
References: <494BCB40.7000300@justinshore.com>
	<006601c961f8$ff6a4cb0$fe3ee610$@net>
Message-ID: <494BD8A9.8030506@justinshore.com>

Luan Nguyen wrote:
> controller T1 0/2/0
>  cablelength long 0db
>  channel-group 1 timeslots 1-24

Excellent.  That's exactly what I was needing.  Thanks

Justin

From scaner at global-one.by  Fri Dec 19 15:39:53 2008
From: scaner at global-one.by (Eugene Vedistchev)
Date: Fri, 19 Dec 2008 22:39:53 +0200
Subject: [c-nsp] npe-g2 CsCsk65796
In-Reply-To: <20081219171910.GC14325@rtp-cse-489.cisco.com>
References: <493A5409.7050109@global-one.by>
	<20081206130938.GL844@rtp-cse-489.cisco.com>
	<20081219151747.GH14325@rtp-cse-489.cisco.com>
	<20081219161219.GQ14325@rtp-cse-489.cisco.com>
	<20081219171910.GC14325@rtp-cse-489.cisco.com>
Message-ID: <494C0699.4050207@global-one.by>

Hello,

we haven't upgraded boot image to fixed release.
we upgraded from 12.2.31SB6 code
yes, powercycle did the trick.

br,
Eugene

Rodney Dunn wrote:
> Yep...a hard power cycle is needed.
>
> Rodney
>
> On Fri, Dec 19, 2008 at 11:12:19AM -0500, Rodney Dunn wrote:
>   
>> On Fri, Dec 19, 2008 at 10:17:48AM -0500, Rodney Dunn wrote:
>>     
>>> Eugene,
>>>
>>> I did a little digging on this and it appears there are a couple
>>> of gotchas with this one.
>>>
>>> a) Does the boot image you have have the fix for it?
>>> dir bootflash:
>>>
>>> If not, we need to get one that does.
>>>
>>> b) What code did you upgrade from? From talking with DE, unlcear
>>>    exactly what in the code it is, but just upgrading to the image
>>>    with the fix may not resolve it as the problem was carried over.
>>>    Can you reload it once more on the upgraded image and verify if it
>>>    comes back?
>>>       
>> I'm asking for more clarification but I think they are implying a hard
>> power cycle not a remote "reload" via the CLI.
>>
>>
>>     
>>> Rodney
>>>
>>>
>>> gotOn Sat, Dec 06, 2008 at 08:09:38AM -0500, Rodney Dunn wrote:
>>>       
>>>> Eugene,
>>>>
>>>> Can you post a 'sh int' and 'sh controller' for the interface?
>>>>
>>>> And 'sh ver' from the box?
>>>>
>>>> Rodney
>>>>
>>>> On Sat, Dec 06, 2008 at 12:29:29PM +0200, Eugene Vedistchev wrote:
>>>>         
>>>>> I wonder if someone else upgraded to 12.2SB train to fix CSCsk65796  ?
>>>>> Bug Details  NPE-G2: all rx frames counted as overruns on built-in gige.
>>>>>
>>>>> We have upgraded software to 12.2.31SB13 on two routers, reloaded them 
>>>>> and stuck with this
>>>>> bug again.
>>>>> Bug Toolkit provided workaround to powercycle routers.
>>>>> I cannot justify for me, do powercycle with new software get rid this 
>>>>> bug for us, or we encounter another bug or physical failure ?
>>>>>
>>>>> Eugene Vedistchev
>>>>>
>>>>> _______________________________________________
>>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>>           
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>       
>
>
>   


From mailinglist at bangky.net  Sat Dec 20 09:30:33 2008
From: mailinglist at bangky.net (Ang Kah Yik)
Date: Sat, 20 Dec 2008 22:30:33 +0800
Subject: [c-nsp] RSP4 as route server? - seeking suggestions and opinions
Message-ID: <2ad168fd0812200630g5c1e0cc9o1ea19d70ba6379ea@mail.gmail.com>

Hi all,

Would an RSP4 (256MB RAM) from a 7505 be any good as a pure route server (no
forwarding) for 2 or more full IPv4 BGP tables?
Prior to decommissioning in mid '07, it acted as a border router handling 2
upstreams but I would like to know if it can cope with routing table growth
for at least the next year or so.

Suggestions and opinions are most welcome. Cheers.

-- 
Ang Kah Yik (bangky) - http://blog.bangky.net

From david at davidcoulson.net  Sat Dec 20 09:42:14 2008
From: david at davidcoulson.net (David Coulson)
Date: Sat, 20 Dec 2008 09:42:14 -0500
Subject: [c-nsp] RSP4 as route server? - seeking suggestions and opinions
In-Reply-To: <2ad168fd0812200630g5c1e0cc9o1ea19d70ba6379ea@mail.gmail.com>
References: <2ad168fd0812200630g5c1e0cc9o1ea19d70ba6379ea@mail.gmail.com>
Message-ID: <494D0446.9070107@davidcoulson.net>

I'm surprised it worked mid 2007 - I've certainly had no success loading 
full tables into 256Mb in the last two years without aggressive filtering.

So, my answer would be 'no'. I'd be tempted to use a Linux or BSD box if 
you just want a basic route server.

Ang Kah Yik wrote:
> Hi all,
>
> Would an RSP4 (256MB RAM) from a 7505 be any good as a pure route server (no
> forwarding) for 2 or more full IPv4 BGP tables?
> Prior to decommissioning in mid '07, it acted as a border router handling 2
> upstreams but I would like to know if it can cope with routing table growth
> for at least the next year or so.
>
> Suggestions and opinions are most welcome. Cheers.
>
>   

From mailinglist at bangky.net  Sat Dec 20 10:27:59 2008
From: mailinglist at bangky.net (Ang Kah Yik)
Date: Sat, 20 Dec 2008 23:27:59 +0800
Subject: [c-nsp] RSP4 as route server? - seeking suggestions and opinions
In-Reply-To: <494D0446.9070107@davidcoulson.net>
References: <2ad168fd0812200630g5c1e0cc9o1ea19d70ba6379ea@mail.gmail.com>
	<494D0446.9070107@davidcoulson.net>
Message-ID: <2ad168fd0812200727m226e7239m50f390a38d7bcd33@mail.gmail.com>

Hi,

I've only been recently tasked with looking into possible (re)uses for this
box so I'm not sure how it managed to handle 2 sets of full routes either.

The first thing that came to mind when tasked with this was actually
Quagga/OpenBGPD. There appears to be a discussion on Linux Gigabit routers
on the NANOG-ML but the discussion seems skewed towards forwarding
performance rather than BGP scalability.

Understandably, open source routing daemons aren't exactly cisco-nsp, but
could you (or others on-list) share opinions on this?

Thanks!



On Sat, Dec 20, 2008 at 10:42 PM, David Coulson <david at davidcoulson.net>wrote:

> I'm surprised it worked mid 2007 - I've certainly had no success loading
> full tables into 256Mb in the last two years without aggressive filtering.
>
> So, my answer would be 'no'. I'd be tempted to use a Linux or BSD box if
> you just want a basic route server.
>
>
> Ang Kah Yik wrote:
>
>> Hi all,
>>
>> Would an RSP4 (256MB RAM) from a 7505 be any good as a pure route server
>> (no
>> forwarding) for 2 or more full IPv4 BGP tables?
>> Prior to decommissioning in mid '07, it acted as a border router handling
>> 2
>> upstreams but I would like to know if it can cope with routing table
>> growth
>> for at least the next year or so.
>>
>> Suggestions and opinions are most welcome. Cheers.
>>
>>
>>
>


-- 
Ang Kah Yik (bangky) - http://blog.bangky.net

From engel.labiro at gmail.com  Sat Dec 20 10:46:10 2008
From: engel.labiro at gmail.com (Engelhard Labiro)
Date: Sun, 21 Dec 2008 00:46:10 +0900
Subject: [c-nsp] RSP4 as route server? - seeking suggestions and opinions
In-Reply-To: <2ad168fd0812200630g5c1e0cc9o1ea19d70ba6379ea@mail.gmail.com>
References: <2ad168fd0812200630g5c1e0cc9o1ea19d70ba6379ea@mail.gmail.com>
Message-ID: <74b0c3330812200746y4a4634c5i52d29540fc565c6b@mail.gmail.com>

Just FYI , recently our 7206VXR (w NPE225) 256MB could not handle 2
BGP full routes (total around 40k routes) from provider. The router
generated not enough memories and disabled its CEF.

On Sat, Dec 20, 2008 at 11:30 PM, Ang Kah Yik <mailinglist at bangky.net> wrote:
> Hi all,
>
> Would an RSP4 (256MB RAM) from a 7505 be any good as a pure route server (no
> forwarding) for 2 or more full IPv4 BGP tables?
> Prior to decommissioning in mid '07, it acted as a border router handling 2
> upstreams but I would like to know if it can cope with routing table growth
> for at least the next year or so.
>
> Suggestions and opinions are most welcome. Cheers.
>
> --
> Ang Kah Yik (bangky) - http://blog.bangky.net
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From dan at orb.cz  Sat Dec 20 14:59:30 2008
From: dan at orb.cz (=?ISO-8859-2?Q?Daniel_Stan=ECk?=)
Date: Sat, 20 Dec 2008 20:59:30 +0100
Subject: [c-nsp] hsrp with static and dynamic nat for the same outside ip
 addr and nat timeouts
Message-ID: <494D4EA2.502@orb.cz>

Hi friends,

is it ok to have HSRP NAT configuration like this?

ip nat Stateful id 1
     redundancy dmz
         mapping-id 1
         interface  Vlan2
         protocol   udp
ip nat pool outside-dynamic a.a.a.a a.a.a.a netmask 255.255.255.248
ip nat inside source route-map nat-fast00 pool outside-dynamic 
mapping-id 1 overload
ip nat inside source static tcp 10.142.27.101 25 a.a.a.a 25 redundancy 
dmz extendable



The idea is to have two 2811's with HSRP configured at the inside 
interface and doing both static tcp and dynamic overload NAT transtation 
using the same outside ip address.

It seems to be functional but with one small problem - the nat 
translation table of the active router is full of timing-out tcp 
sessions to port 25 (the static nat entry child). The only way how to 
reduce is reduce the nat tcp timeout value, otherewise there are 
thousands of active translations even if the tcp connection has finished 
(with default timeout one day).

Do you think it is a IOS bug or a design error?

Thanks for any advice
Dan Stanek


From cayers at ena.com  Sat Dec 20 15:45:21 2008
From: cayers at ena.com (Cory Ayers)
Date: Sat, 20 Dec 2008 14:45:21 -0600
Subject: [c-nsp] RSP4 as route server? - seeking suggestions and opinions
In-Reply-To: <2ad168fd0812200727m226e7239m50f390a38d7bcd33@mail.gmail.com>
References: <2ad168fd0812200630g5c1e0cc9o1ea19d70ba6379ea@mail.gmail.com><494D0446.9070107@davidcoulson.net>
	<2ad168fd0812200727m226e7239m50f390a38d7bcd33@mail.gmail.com>
Message-ID: <A7B0A9F02975A74A845FE85D0B95B8FA0C08DEA9@misex01.ena.com>

>I've only been recently tasked with looking into possible (re)uses for
this
>box so I'm not sure how it managed to handle 2 sets of full routes
either.

256M RAM will barely handle one BGP feed filtered to /23 (140k routes)

>The first thing that came to mind when tasked with this was actually
>Quagga/OpenBGPD. There appears to be a discussion on Linux Gigabit
routers
>on the NANOG-ML but the discussion seems skewed towards forwarding
>performance rather than BGP scalability.

If you're just looking for data gathering, go with Quagga.  We've got an
old SOHO box (533Mhz, 512M RAM, 512M Flash drive) running a lean install
of Fedora with 8 BGP feeds (somewhat filtered) inbound, and another
session to route-views.  This replaced a 7200 NPE-300 w/256M that
couldn't keep up a few years back.

Cory

From masood at nexlinx.net.pk  Sun Dec 21 17:13:45 2008
From: masood at nexlinx.net.pk (Masood Ahmad Shah)
Date: Mon, 22 Dec 2008 03:13:45 +0500
Subject: [c-nsp] RSP4 as route server? - seeking suggestions and opinions
In-Reply-To: <A7B0A9F02975A74A845FE85D0B95B8FA0C08DEA9@misex01.ena.com>
References: <2ad168fd0812200630g5c1e0cc9o1ea19d70ba6379ea@mail.gmail.com><494D0446.9070107@davidcoulson.net>	<2ad168fd0812200727m226e7239m50f390a38d7bcd33@mail.gmail.com>
	<A7B0A9F02975A74A845FE85D0B95B8FA0C08DEA9@misex01.ena.com>
Message-ID: <000601c963b9$681b29c0$38517d40$@net.pk>

You can also use JUNOS olive. 

http://juniper.cluepon.net/index.php/Olive


Regards,
Masood 


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Cory Ayers
Sent: Sunday, December 21, 2008 1:45 AM
To: Ang Kah Yik
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] RSP4 as route server? - seeking suggestions and
opinions

>I've only been recently tasked with looking into possible (re)uses for
this
>box so I'm not sure how it managed to handle 2 sets of full routes
either.

256M RAM will barely handle one BGP feed filtered to /23 (140k routes)

>The first thing that came to mind when tasked with this was actually
>Quagga/OpenBGPD. There appears to be a discussion on Linux Gigabit
routers
>on the NANOG-ML but the discussion seems skewed towards forwarding
>performance rather than BGP scalability.

If you're just looking for data gathering, go with Quagga.  We've got an
old SOHO box (533Mhz, 512M RAM, 512M Flash drive) running a lean install
of Fedora with 8 BGP feeds (somewhat filtered) inbound, and another
session to route-views.  This replaced a 7200 NPE-300 w/256M that
couldn't keep up a few years back.

Cory
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From dwinkworth at att.net  Sun Dec 21 18:19:41 2008
From: dwinkworth at att.net (Derick Winkworth)
Date: Sun, 21 Dec 2008 17:19:41 -0600
Subject: [c-nsp] RSP4 as route server? - seeking suggestions and opinions
In-Reply-To: <000601c963b9$681b29c0$38517d40$@net.pk>
References: <2ad168fd0812200630g5c1e0cc9o1ea19d70ba6379ea@mail.gmail.com><494D0446.9070107@davidcoulson.net>	<2ad168fd0812200727m226e7239m50f390a38d7bcd33@mail.gmail.com>	<A7B0A9F02975A74A845FE85D0B95B8FA0C08DEA9@misex01.ena.com>
	<000601c963b9$681b29c0$38517d40$@net.pk>
Message-ID: <494ECF0D.4010606@att.net>

Or Vyatta maybe...

Masood Ahmad Shah wrote:
> You can also use JUNOS olive. 
>
> http://juniper.cluepon.net/index.php/Olive
>
>
> Regards,
> Masood 
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Cory Ayers
> Sent: Sunday, December 21, 2008 1:45 AM
> To: Ang Kah Yik
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] RSP4 as route server? - seeking suggestions and
> opinions
>
>   
>> I've only been recently tasked with looking into possible (re)uses for
>>     
> this
>   
>> box so I'm not sure how it managed to handle 2 sets of full routes
>>     
> either.
>
> 256M RAM will barely handle one BGP feed filtered to /23 (140k routes)
>
>   
>> The first thing that came to mind when tasked with this was actually
>> Quagga/OpenBGPD. There appears to be a discussion on Linux Gigabit
>>     
> routers
>   
>> on the NANOG-ML but the discussion seems skewed towards forwarding
>> performance rather than BGP scalability.
>>     
>
> If you're just looking for data gathering, go with Quagga.  We've got an
> old SOHO box (533Mhz, 512M RAM, 512M Flash drive) running a lean install
> of Fedora with 8 BGP feeds (somewhat filtered) inbound, and another
> session to route-views.  This replaced a 7200 NPE-300 w/256M that
> couldn't keep up a few years back.
>
> Cory
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com 
> Version: 8.0.176 / Virus Database: 270.9.19/1859 - Release Date: 12/20/2008 2:34 PM
>
>   

From mailinglist at bangky.net  Sun Dec 21 23:16:36 2008
From: mailinglist at bangky.net (Ang Kah Yik)
Date: Mon, 22 Dec 2008 12:16:36 +0800
Subject: [c-nsp] RSP4 as route server? - seeking suggestions and opinions
In-Reply-To: <89944ef40812201421q5b605e75i8ea231e61f0bdaba@mail.gmail.com>
References: <2ad168fd0812200630g5c1e0cc9o1ea19d70ba6379ea@mail.gmail.com>
	<89944ef40812201421q5b605e75i8ea231e61f0bdaba@mail.gmail.com>
Message-ID: <2ad168fd0812212016v5c558c7fpa04655455bdec535@mail.gmail.com>

Hi all,

Many thanks to those who have replied both on and off list.

>From what I've been told, the RSP4 was running 12.0S with 2 full views and
about 15-20MB of RAM to spare in '07.
The assumption is that with forwarding features such as CEF disabled, it
might free up sufficient RAM to handle routing table growth and possibly yet
another full table (a total of 3 full views).

I'm not sure how viable an additional full view will be, but the more
immediate concern is whether it will be able to handle 2 full views for the
next year or so.

Once again, suggestions and opinions are most welcome. Cheers.


On Sun, Dec 21, 2008 at 6:21 AM, root net <rootnet08 at gmail.com> wrote:

> I have seen some route servers with 256MB load a full table but those were
> running minimum services on Cisco 7204 / 7206 NON VXR.  They had a base IOS
> with BGP also so if you can find an IOS image with minimum and BGP for the
> 7500 I think you will be fine.  But your router may end up bouncing...I have
> a strong feeling.  Let me know the results please.
>
> RootNet08
>
> On Sat, Dec 20, 2008 at 8:30 AM, Ang Kah Yik <mailinglist at bangky.net>wrote:
>
>> Hi all,
>>
>> Would an RSP4 (256MB RAM) from a 7505 be any good as a pure route server
>> (no
>> forwarding) for 2 or more full IPv4 BGP tables?
>> Prior to decommissioning in mid '07, it acted as a border router handling
>> 2
>> upstreams but I would like to know if it can cope with routing table
>> growth
>> for at least the next year or so.
>>
>> Suggestions and opinions are most welcome. Cheers.
>>
>> --
>> Ang Kah Yik (bangky) - http://blog.bangky.net
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>


-- 
Ang Kah Yik (bangky) - http://blog.bangky.net

From justin at justinshore.com  Mon Dec 22 14:18:59 2008
From: justin at justinshore.com (Justin Shore)
Date: Mon, 22 Dec 2008 13:18:59 -0600
Subject: [c-nsp] Sharing HSRP group numbers across multiple HSRP instances
Message-ID: <494FE823.9060201@justinshore.com>

I have a situation in which I'm wondering if I can use the same HSRP 
group number for multiple SVIs on a pair of 7600s.  The VLANs all 
perform similar functions in groups of 3; outside of FWSM contexts, 
inside of FWSM context, SVI for terminating client IPSec VPNs.  Ie, each 
customer has 3 VLANs that perform these functions.  I have multiple 
customers and each has 3 VLANs in VRFs (where applicable) on my 7600s 
carved out for these specific functions.

Can I use the same HSRP group for each of the individual 3 VLANs across 
multiple customers?  ie:

Customer	VLAN	Purpose
-------------------------------
1		1501	Outside
1		1601	Inside
1		1701	CVPN
2		1502	Outside
2		1602	Inside
2		1702	CVPN
3		1503	Outside
3		1603	Inside
3		1703	CVPN

Purpose		HSRP Group
---------------------------
FWSM outside	100
FWSM inside	101
CVPN		102

VLANs 1501-1503 get group 100, 1601-1603 get group 101, 1701-1703 get 
group 102.  Each customer VLAN performing that specific role shares that 
HSRP group #.  That's worded better.  All VLANs share the same L2 
infrastructure (actually they never leave the 7600s).

Is this doable or should I just use HSRPv2 and one of the 4096 group #s 
available to me?  Would sharing group #s result in few HSRP hellos send 
and processed, thus lower RP overhead?

Just curious.  Thanks
  Justin

From christian.macnevin at gmail.com  Mon Dec 22 14:25:38 2008
From: christian.macnevin at gmail.com (Christian MacNevin)
Date: Mon, 22 Dec 2008 11:25:38 -0800
Subject: [c-nsp] Sharing HSRP group numbers across multiple HSRP
	instances
In-Reply-To: <494FE823.9060201@justinshore.com>
References: <494FE823.9060201@justinshore.com>
Message-ID: <b8e6d65b0812221125h3f7764cbge40da566b3bb2e23@mail.gmail.com>

As far as I'm aware, the group number is irrelevant. You're still getting a
group per vlan, it's just that the identifier only reaches 255. The
configuration is all local to the
VLAN, so i'm not aware of any shared anything except for number *space*.

ie:
int vlan 1
standby group 1
standby ip 1.2.3.4
standby preempt
!
int vlan 2
standby group 1
standby ip 1.2.3.5
standby preempt

Still results in two completely separate calculations and sets of
advertisements, no?



On Mon, Dec 22, 2008 at 11:18 AM, Justin Shore <justin at justinshore.com>wrote:

> I have a situation in which I'm wondering if I can use the same HSRP group
> number for multiple SVIs on a pair of 7600s.  The VLANs all perform similar
> functions in groups of 3; outside of FWSM contexts, inside of FWSM context,
> SVI for terminating client IPSec VPNs.  Ie, each customer has 3 VLANs that
> perform these functions.  I have multiple customers and each has 3 VLANs in
> VRFs (where applicable) on my 7600s carved out for these specific functions.
>
> Can I use the same HSRP group for each of the individual 3 VLANs across
> multiple customers?  ie:
>
> Customer        VLAN    Purpose
> -------------------------------
> 1               1501    Outside
> 1               1601    Inside
> 1               1701    CVPN
> 2               1502    Outside
> 2               1602    Inside
> 2               1702    CVPN
> 3               1503    Outside
> 3               1603    Inside
> 3               1703    CVPN
>
> Purpose         HSRP Group
> ---------------------------
> FWSM outside    100
> FWSM inside     101
> CVPN            102
>
> VLANs 1501-1503 get group 100, 1601-1603 get group 101, 1701-1703 get group
> 102.  Each customer VLAN performing that specific role shares that HSRP
> group #.  That's worded better.  All VLANs share the same L2 infrastructure
> (actually they never leave the 7600s).
>
> Is this doable or should I just use HSRPv2 and one of the 4096 group #s
> available to me?  Would sharing group #s result in few HSRP hellos send and
> processed, thus lower RP overhead?
>
> Just curious.  Thanks
>  Justin
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From avayner at cisco.com  Mon Dec 22 14:46:40 2008
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Mon, 22 Dec 2008 20:46:40 +0100
Subject: [c-nsp] Sharing HSRP group numbers across multiple HSRP
	instances
In-Reply-To: <494FE823.9060201@justinshore.com>
References: <494FE823.9060201@justinshore.com>
Message-ID: <67F7C1FAF83A074AA3520D8F155782A502590449@xmb-ams-331.emea.cisco.com>

Justin,

The group number sets the virtual MAC address assigned to that group.
If you have some transparent L2 infrastructure (such as a VPLS domain
you try to transit) this could cause issues, and using different groups
per different VLANs is critical. In most other cases there is no need to
change group numbers between VLANs.

Take a look here:
http://www.cisco.com/en/US/docs/ios/ipapp/command/reference/iap_s2.html#
wp1073440

Another point is that you can use HSRPv2, which extends the group number
to 4096:
http://www.cisco.com/en/US/docs/ios/ipapp/command/reference/iap_s3.html#
wp1063204

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore
Sent: Monday, December 22, 2008 21:19
To: 'Cisco-nsp'
Subject: [c-nsp] Sharing HSRP group numbers across multiple HSRP
instances

I have a situation in which I'm wondering if I can use the same HSRP 
group number for multiple SVIs on a pair of 7600s.  The VLANs all 
perform similar functions in groups of 3; outside of FWSM contexts, 
inside of FWSM context, SVI for terminating client IPSec VPNs.  Ie, each

customer has 3 VLANs that perform these functions.  I have multiple 
customers and each has 3 VLANs in VRFs (where applicable) on my 7600s 
carved out for these specific functions.

Can I use the same HSRP group for each of the individual 3 VLANs across 
multiple customers?  ie:

Customer	VLAN	Purpose
-------------------------------
1		1501	Outside
1		1601	Inside
1		1701	CVPN
2		1502	Outside
2		1602	Inside
2		1702	CVPN
3		1503	Outside
3		1603	Inside
3		1703	CVPN

Purpose		HSRP Group
---------------------------
FWSM outside	100
FWSM inside	101
CVPN		102

VLANs 1501-1503 get group 100, 1601-1603 get group 101, 1701-1703 get 
group 102.  Each customer VLAN performing that specific role shares that

HSRP group #.  That's worded better.  All VLANs share the same L2 
infrastructure (actually they never leave the 7600s).

Is this doable or should I just use HSRPv2 and one of the 4096 group #s 
available to me?  Would sharing group #s result in few HSRP hellos send 
and processed, thus lower RP overhead?

Just curious.  Thanks
  Justin
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From felixnkansah at gmail.com  Mon Dec 22 15:04:42 2008
From: felixnkansah at gmail.com (Felix Nkansah)
Date: Mon, 22 Dec 2008 20:04:42 +0000
Subject: [c-nsp] Configure VPN Client Software to Automatically Reconnect?
Message-ID: <18dba4e50812221204r25593024ra98e419ec4342d20@mail.gmail.com>

Hi,
A windows PC at a remote location is using internet connection sharing to
allow other site computers access to the outside via Internet.

This Windows PC has a corporate connection to the head office through a
running cisco vpn client software.

Whenever the vpn client software disconnects for any reason (such as poor
link performance or fluctuation), a user has to manually go to the PC to
reconnect.

I was wondering if it's possible to configure the vpn client software to
automatically reestablish a session to the vpn server if it should
disconnect for any reason.

Let me know your suggestions.

Thanks,

Felix

From felixnkansah at gmail.com  Mon Dec 22 15:29:10 2008
From: felixnkansah at gmail.com (Felix Nkansah)
Date: Mon, 22 Dec 2008 20:29:10 +0000
Subject: [c-nsp] Configure VPN Client Software to Automatically
	Reconnect?
In-Reply-To: <f62810490812221221q3bc2abedw6b4ecf1d4475fcad@mail.gmail.com>
References: <18dba4e50812221204r25593024ra98e419ec4342d20@mail.gmail.com>
	<f62810490812221221q3bc2abedw6b4ecf1d4475fcad@mail.gmail.com>
Message-ID: <18dba4e50812221229o5c5167d5p9647480bc840f5d4@mail.gmail.com>

Hi Security,
I understand your sentiment below.

But I have been asked more than once by some corporate IT guys narrating the
above scenario to me, and inquiring about how to get the vpn client to
automatically connect.

I have usually said i'm not sure that can be done, but I feel it's wiser to
ask other experts on this client auto-reconnect issue before such
conclusions.

Do you know if it's possible to accomplish that, and how?


Felix
ccie r&s, security


On Mon, Dec 22, 2008 at 8:21 PM, The Security Community <
thesecuritycommunity at gmail.com> wrote:

> In my experience, the person setting that up (or the person allowing
> it to continue) would be fired.
>
> This is a very, very bad idea.
>
>

From MatlockK at exempla.org  Mon Dec 22 15:46:04 2008
From: MatlockK at exempla.org (Matlock, Kenneth L)
Date: Mon, 22 Dec 2008 13:46:04 -0700
Subject: [c-nsp] Configure VPN Client Software to AutomaticallyReconnect?
In-Reply-To: <18dba4e50812221229o5c5167d5p9647480bc840f5d4@mail.gmail.com>
Message-ID: <4288131ED5E3024C9CD4782CECCAD2C7037AFB17@LMC-MAIL2.exempla.org>

Looks like this feature has been include in the newer Client versions.

http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn
_client46/win/user/guide/vc.pdf

Search for 'reconnect' in the text. 

Not sure what version started including it, but I imagine the newest
release would have it.

Ken


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Felix Nkansah
Sent: Monday, December 22, 2008 1:29 PM
To: The Security Community
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Configure VPN Client Software to
AutomaticallyReconnect?

Hi Security,
I understand your sentiment below.

But I have been asked more than once by some corporate IT guys narrating
the
above scenario to me, and inquiring about how to get the vpn client to
automatically connect.

I have usually said i'm not sure that can be done, but I feel it's wiser
to
ask other experts on this client auto-reconnect issue before such
conclusions.

Do you know if it's possible to accomplish that, and how?


Felix
ccie r&s, security


On Mon, Dec 22, 2008 at 8:21 PM, The Security Community <
thesecuritycommunity at gmail.com> wrote:

> In my experience, the person setting that up (or the person allowing
> it to continue) would be fired.
>
> This is a very, very bad idea.
>
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From justin at justinshore.com  Mon Dec 22 17:07:13 2008
From: justin at justinshore.com (Justin Shore)
Date: Mon, 22 Dec 2008 16:07:13 -0600
Subject: [c-nsp] Sharing HSRP group numbers across multiple HSRP
	instances
In-Reply-To: <67F7C1FAF83A074AA3520D8F155782A502590449@xmb-ams-331.emea.cisco.com>
References: <494FE823.9060201@justinshore.com>
	<67F7C1FAF83A074AA3520D8F155782A502590449@xmb-ams-331.emea.cisco.com>
Message-ID: <49500F91.8000001@justinshore.com>

Arie & Christian,

Thanks for the replies.  So re-using HSRP group #s doesn't create any 
conflicts?  That's good to know.  It also won't reduce the load?  That's 
unfortunately.  For some reason I had it in my mind that you could 
create some sort of collective HSRP instance over a common L2 
infrastructure that would share hellos and switch as one common unit. 
It would be list MST for HSRP essentially.

One design scenario I didn't ask about was if I could do the same thing 
with HSRP instances on sub-ints of a router.  On the other end of these 
MPLS/VPNs is a pair of ISRs facing a 3560 with 1Q trunks.  On each ISR 
is an int facing the 3560 and that int is broken up into several 
sub-ints.  I have HSRP instances on those as well.  I have a matching 
instance on each ISR for each customer VLAN.  However I just tried to 
create a new sub-int with the same HSRP group # and it yelled at me. 
Apparently it isn't supported on the same physical interface.

% Must use unique HSRP group number for each logical interface
    that is a member of the same physical interface.

This isn't a problem for me.  Our contiguous L2 infrastructure isn't so 
big that 4096 HSRP group numbers won't handle it.  I doubt if we'll have 
more than 1000 before I'm breaking it up into smaller pieces for 
bandwidth reasons.

Thanks for the info
  Justin



Arie Vayner (avayner) wrote:
> Justin,
> 
> The group number sets the virtual MAC address assigned to that group.
> If you have some transparent L2 infrastructure (such as a VPLS domain
> you try to transit) this could cause issues, and using different groups
> per different VLANs is critical. In most other cases there is no need to
> change group numbers between VLANs.
> 
> Take a look here:
> http://www.cisco.com/en/US/docs/ios/ipapp/command/reference/iap_s2.html#
> wp1073440
> 
> Another point is that you can use HSRPv2, which extends the group number
> to 4096:
> http://www.cisco.com/en/US/docs/ios/ipapp/command/reference/iap_s3.html#
> wp1063204
> 
> Arie
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore
> Sent: Monday, December 22, 2008 21:19
> To: 'Cisco-nsp'
> Subject: [c-nsp] Sharing HSRP group numbers across multiple HSRP
> instances
> 
> I have a situation in which I'm wondering if I can use the same HSRP 
> group number for multiple SVIs on a pair of 7600s.  The VLANs all 
> perform similar functions in groups of 3; outside of FWSM contexts, 
> inside of FWSM context, SVI for terminating client IPSec VPNs.  Ie, each
> 
> customer has 3 VLANs that perform these functions.  I have multiple 
> customers and each has 3 VLANs in VRFs (where applicable) on my 7600s 
> carved out for these specific functions.
> 
> Can I use the same HSRP group for each of the individual 3 VLANs across 
> multiple customers?  ie:
> 
> Customer	VLAN	Purpose
> -------------------------------
> 1		1501	Outside
> 1		1601	Inside
> 1		1701	CVPN
> 2		1502	Outside
> 2		1602	Inside
> 2		1702	CVPN
> 3		1503	Outside
> 3		1603	Inside
> 3		1703	CVPN
> 
> Purpose		HSRP Group
> ---------------------------
> FWSM outside	100
> FWSM inside	101
> CVPN		102
> 
> VLANs 1501-1503 get group 100, 1601-1603 get group 101, 1701-1703 get 
> group 102.  Each customer VLAN performing that specific role shares that
> 
> HSRP group #.  That's worded better.  All VLANs share the same L2 
> infrastructure (actually they never leave the 7600s).
> 
> Is this doable or should I just use HSRPv2 and one of the 4096 group #s 
> available to me?  Would sharing group #s result in few HSRP hellos send 
> and processed, thus lower RP overhead?
> 
> Just curious.  Thanks
>   Justin
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From William.Murphy at uth.tmc.edu  Mon Dec 22 17:27:56 2008
From: William.Murphy at uth.tmc.edu (Murphy, William )
Date: Mon, 22 Dec 2008 16:27:56 -0600
Subject: [c-nsp] Sharing HSRP group numbers across multiple
	HSRP	instances
In-Reply-To: <49500F91.8000001@justinshore.com>
References: <494FE823.9060201@justinshore.com>
	<67F7C1FAF83A074AA3520D8F155782A502590449@xmb-ams-331.emea.cisco.com>
	<49500F91.8000001@justinshore.com>
Message-ID: <164030B85F3A8B40B960817918CB021001BC706D@UTHEVS4.mail.uthouston.edu>

If you are placing lots of HSRP groups on the same interface I would imagine
at some point hello traffic would become an issue...  I guess it really
depends on the bandwidth and how aggressively you tune your timers...

Bill

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore
Sent: Monday, December 22, 2008 4:07 PM
To: Arie Vayner (avayner)
Cc: Cisco-nsp
Subject: Re: [c-nsp] Sharing HSRP group numbers across multiple HSRP
instances

Arie & Christian,

Thanks for the replies.  So re-using HSRP group #s doesn't create any 
conflicts?  That's good to know.  It also won't reduce the load?  That's 
unfortunately.  For some reason I had it in my mind that you could 
create some sort of collective HSRP instance over a common L2 
infrastructure that would share hellos and switch as one common unit. 
It would be list MST for HSRP essentially.

One design scenario I didn't ask about was if I could do the same thing 
with HSRP instances on sub-ints of a router.  On the other end of these 
MPLS/VPNs is a pair of ISRs facing a 3560 with 1Q trunks.  On each ISR 
is an int facing the 3560 and that int is broken up into several 
sub-ints.  I have HSRP instances on those as well.  I have a matching 
instance on each ISR for each customer VLAN.  However I just tried to 
create a new sub-int with the same HSRP group # and it yelled at me. 
Apparently it isn't supported on the same physical interface.

% Must use unique HSRP group number for each logical interface
    that is a member of the same physical interface.

This isn't a problem for me.  Our contiguous L2 infrastructure isn't so 
big that 4096 HSRP group numbers won't handle it.  I doubt if we'll have 
more than 1000 before I'm breaking it up into smaller pieces for 
bandwidth reasons.

Thanks for the info
  Justin



Arie Vayner (avayner) wrote:
> Justin,
> 
> The group number sets the virtual MAC address assigned to that group.
> If you have some transparent L2 infrastructure (such as a VPLS domain
> you try to transit) this could cause issues, and using different groups
> per different VLANs is critical. In most other cases there is no need to
> change group numbers between VLANs.
> 
> Take a look here:
> http://www.cisco.com/en/US/docs/ios/ipapp/command/reference/iap_s2.html#
> wp1073440
> 
> Another point is that you can use HSRPv2, which extends the group number
> to 4096:
> http://www.cisco.com/en/US/docs/ios/ipapp/command/reference/iap_s3.html#
> wp1063204
> 
> Arie
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore
> Sent: Monday, December 22, 2008 21:19
> To: 'Cisco-nsp'
> Subject: [c-nsp] Sharing HSRP group numbers across multiple HSRP
> instances
> 
> I have a situation in which I'm wondering if I can use the same HSRP 
> group number for multiple SVIs on a pair of 7600s.  The VLANs all 
> perform similar functions in groups of 3; outside of FWSM contexts, 
> inside of FWSM context, SVI for terminating client IPSec VPNs.  Ie, each
> 
> customer has 3 VLANs that perform these functions.  I have multiple 
> customers and each has 3 VLANs in VRFs (where applicable) on my 7600s 
> carved out for these specific functions.
> 
> Can I use the same HSRP group for each of the individual 3 VLANs across 
> multiple customers?  ie:
> 
> Customer	VLAN	Purpose
> -------------------------------
> 1		1501	Outside
> 1		1601	Inside
> 1		1701	CVPN
> 2		1502	Outside
> 2		1602	Inside
> 2		1702	CVPN
> 3		1503	Outside
> 3		1603	Inside
> 3		1703	CVPN
> 
> Purpose		HSRP Group
> ---------------------------
> FWSM outside	100
> FWSM inside	101
> CVPN		102
> 
> VLANs 1501-1503 get group 100, 1601-1603 get group 101, 1701-1703 get 
> group 102.  Each customer VLAN performing that specific role shares that
> 
> HSRP group #.  That's worded better.  All VLANs share the same L2 
> infrastructure (actually they never leave the 7600s).
> 
> Is this doable or should I just use HSRPv2 and one of the 4096 group #s 
> available to me?  Would sharing group #s result in few HSRP hellos send 
> and processed, thus lower RP overhead?
> 
> Just curious.  Thanks
>   Justin
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4327 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081222/bf5afd25/attachment.bin>

From djweis at internetsolver.com  Mon Dec 22 16:58:55 2008
From: djweis at internetsolver.com (Dave Weis)
Date: Mon, 22 Dec 2008 15:58:55 -0600 (CST)
Subject: [c-nsp] ME3400 VLAN Translation
Message-ID: <Pine.LNX.4.63.0812221556360.12567@charmed.internetsolver.com>


It's mentioned in all of the sales literature but I'm not having any luck 
finding it mentioned in the configuration guides. Is it listed as 
something else?

dave

-- 
Dave Weis
djweis at internetsolver.com
http://www.internetsolver.com/


From dan at beanfield.com  Mon Dec 22 18:00:51 2008
From: dan at beanfield.com (Dan Armstrong)
Date: Mon, 22 Dec 2008 18:00:51 -0500
Subject: [c-nsp] ME3400 VLAN Translation
In-Reply-To: <Pine.LNX.4.63.0812221556360.12567@charmed.internetsolver.com>
References: <Pine.LNX.4.63.0812221556360.12567@charmed.internetsolver.com>
Message-ID: <49501C23.9030609@beanfield.com>

We have never been able to perform VLAN translation on an ME3400.



Dave Weis wrote:
>
> It's mentioned in all of the sales literature but I'm not having any 
> luck finding it mentioned in the configuration guides. Is it listed as 
> something else?
>
> dave
>


From Damien.Vigar at det.nsw.edu.au  Mon Dec 22 22:40:14 2008
From: Damien.Vigar at det.nsw.edu.au (Vigar, Damien)
Date: Tue, 23 Dec 2008 14:40:14 +1100
Subject: [c-nsp] Windows server hangs connected to 3750
In-Reply-To: <0DD0E17BE9C0FA47981C67E9939D3D342EAA863145@SLPPEXCCR02.central.det.win>
References: <0DD0E17BE9C0FA47981C67E9939D3D342EAA86312B@SLPPEXCCR02.central.det.win>
	<748865.92820.qm@web110112.mail.gq1.yahoo.com>
	<0DD0E17BE9C0FA47981C67E9939D3D342EAA863145@SLPPEXCCR02.central.det.win>
Message-ID: <0DD0E17BE9C0FA47981C67E9939D3D342EAB408FF5@SLPPEXCCR02.central.det.win>

Hi all,

Getting back to this issue - our server administrator tells me that he believes the crashes these servers were experiencing were, in fact, an issue on the server box (and not to do with the network switch at all).

Looks like the culprit was Backup Exec/Symantec AV not playing nice on these heavily-used DC/GC/file and print servers. I told him it wasn't the network :-)

Thanks to all who suggested ideas to troubleshoot!

Regards,

Damien Vigar
Technology Support Officer - Infrastructure
Information and Communications Technology
Western NSW
Department of Education and Training
Email: Damien.Vigar at det.nsw.edu.au
Phone: (02) 6885 7507
Fax: (02) 6885 7581




> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Vigar, Damien
> Sent: Thursday, 27 November 2008 12:26 PM
> To: td_miles at yahoo.com; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Windows server hangs connected to 3750
>
> Responses inline...
>
> >
> > Damien,
> >
> > What sort of troubleshooting have you done thus far ?
> >
> > Some questions/suggestions:
> >
> > * check to make sure MAC addresses on the servers aren't the same. Sounds
> > strange but I've had it before (from a reputable vendor whose name is
> > abbreviated to 3 letters).
>
> No, they're unique - I've heard of this but never seen it. The NICs show as
> HP NC373i Multifunction Gigabit Server Adapter on our newer server, and HP
> NC7781 Gigabit Server Adapter on the server at another smaller site where
> the issue has occurred.
>
> > * hard code both switch & server to 1000/full to make sure you're not
> > getting speed/duplex mismatches.
> As mentioned in another email, we've tried both auto and hard-coded.
> Currently the local support guys onsite have moved the server back to a fast
> ethernet port, and the problem hasn't recurred (ports and NIC both on Auto-
> negotiate)
>
> > * does the problem continue to happen when ONLY the servers are connected
> to
> > the switch (ie. isolated from rest of the network) ?
> I'd love to be able to test that - as these are the DC/file & print servers
> for TAFE (educational) campuses we won't be able to do that, at least during
> the week. And as a government job, overtime doesn't happen :-)
> Hmm - we've got the Xmas break coming up soon, I may be able to get them
> isolated for a bit during this time...
>
> > * try new GBICs to check they aren't bad. Swap the ones that aren't
> working
> > for some that are known to work (you mentioned you have some
> > switches/servers that are working).
> I can try this. It'll take time - we have one server at each of our 35
> sites, spread across about half of New South Wales. So I can send new GBICs
> to sites and get some returned, but it might not be for a while.
>
> > * change the NIC in the server. You're probably using the onboard NIC's so
> > this would mean adding a PCI Gb NIC to a server to test.
> Pretty sure the onboard card is what is in use. I'll see if there's any NICs
> around that we can test with.
>
> > * move one of your servers that IS working to the same switchport that
> isn't
> > working with these new servers. This will pretty much rule out the switch
> > (provided that it continues to work) and you can start looking at the
> > servers harder.
> As mentioned above, we've pretty much only the one server at each site. I'll
> check what we can do, though.
>
> > * does it happen immediately (ie. as soon as you connect the servers) or
> > does it takes minutes/hours for the problem to show up ?
> It can take quite a while. It happened about once a week for a couple of
> weeks.
>
> > * have you got anything fancy configured on the switch ?
> Pretty basic - running one vlan for data, another for voice (Cisco IP Tel).
> The SFP port the GBIC is in is configured only for the data VLAN.
>
> > * To attempt to see if it's a software issue you could boot up a live
> linux
> > distro (eg. knoppix) and see if it has the same problems with the Gb
> > cards/switch. If that works fine, then a reinstall of Windows might be
> > called for and following that up with MS tech support if problem still
> > occurs.
> I'll speak to our local support staff and see if we can get a box booted
> with knoppix or similar put onto the port for a while.
>
> > * I think someone else already asked if you're doing anything fancy like
> > clustering or load sharing/balancing ?
> Yep. Nothing like that at these sites.
>
> > regards,
> > Tony.
>
> Cheers,
>
> Damien
>
> **********************************************************************
> This message is intended for the addressee named and may contain
> privileged information or confidential information or both. If you
> are not the intended recipient please delete it and notify the sender.
> **********************************************************************
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
**********************************************************************
This message is intended for the addressee named and may contain
privileged information or confidential information or both. If you
are not the intended recipient please delete it and notify the sender.
**********************************************************************

From p_ambedkar at rediffmail.com  Mon Dec 22 23:12:46 2008
From: p_ambedkar at rediffmail.com (ambedkar  )
Date: 23 Dec 2008 04:12:46 -0000
Subject: [c-nsp] BW allocation
Message-ID: <20081223041246.62705.qmail@f4mail-235-238.rediffmail.com>

Hi, i am having 256kbps BW. I want to divide the BW into two channels 
consists of 128kbps each. please suggest how to divide.
bye.

From jay at west.net  Mon Dec 22 23:32:58 2008
From: jay at west.net (Jay Hennigan)
Date: Mon, 22 Dec 2008 20:32:58 -0800
Subject: [c-nsp] BW allocation
In-Reply-To: <20081223041246.62705.qmail@f4mail-235-238.rediffmail.com>
References: <20081223041246.62705.qmail@f4mail-235-238.rediffmail.com>
Message-ID: <495069FA.40201@west.net>

ambedkar wrote:
> Hi, i am having 256kbps BW. I want to divide the BW into two channels 
> consists of 128kbps each. please suggest how to divide.
> bye.

Ummm...

By two?

Seriously, can you give some more detail as to what hardware and what 
layer-2 transport you are using, and exactly what you're trying to 
accomplish?  Bi-directional?  Allow each channel to burst if the other 
is idle?  If, for example, you are dealing with a router having 
fractional T-1 circuits in and out the solution will be different than 
on a layer-2 ethernet switch, and different for frame-relay PVCs.

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

From dv at dv.ru  Tue Dec 23 03:39:23 2008
From: dv at dv.ru (Dmitry Valdov)
Date: Tue, 23 Dec 2008 11:39:23 +0300 (MSK)
Subject: [c-nsp] ME3400 VLAN Translation
In-Reply-To: <Pine.LNX.4.63.0812221556360.12567@charmed.internetsolver.com>
References: <Pine.LNX.4.63.0812221556360.12567@charmed.internetsolver.com>
Message-ID: <20081223113653.I53257@xkis.kis.ru>

Hello,

AFAIK, they can not do vlan translation. You may look at new ME3400E series.
http://www.cisco.com/en/US/products/ps9637/index.html


On Mon, 22 Dec 2008, Dave Weis wrote:

>
> It's mentioned in all of the sales literature but I'm not having any luck 
> finding it mentioned in the configuration guides. Is it listed as something 
> else?


-- 
Dmitry Valdov
CCIE #15379 (R&S and SP)

From gkg at gmx.de  Tue Dec 23 04:21:36 2008
From: gkg at gmx.de (Garry)
Date: Tue, 23 Dec 2008 10:21:36 +0100
Subject: [c-nsp] ME3400 VLAN Translation
In-Reply-To: <20081223113653.I53257@xkis.kis.ru>
References: <Pine.LNX.4.63.0812221556360.12567@charmed.internetsolver.com>
	<20081223113653.I53257@xkis.kis.ru>
Message-ID: <4950ADA0.9040707@gmx.de>

Dmitry Valdov wrote:
> Hello,
>
> AFAIK, they can not do vlan translation. You may look at new ME3400E
> series.
> http://www.cisco.com/en/US/products/ps9637/index.html
Hm ... is there a feature comparison between 3400 and 3400E available
somewhere?

-garry

From p_ambedkar at rediffmail.com  Tue Dec 23 04:30:20 2008
From: p_ambedkar at rediffmail.com (ambedkar  )
Date: 23 Dec 2008 09:30:20 -0000
Subject: [c-nsp] BW allocation
Message-ID: <20081223093020.27353.qmail@f4mail-235-238.rediffmail.com>

hi,
i am using vsat link of 256kbps, two channels of 100kbps and 156 kbps 
each. i am using cisco 3845 router. here i want to restrict the second 
channel to 156 kbps.

I have an idea about class-map,policy map and service policy.

i tested with the class-map. have a look at it.

class-map match-all TEST
match input-interface gig 0/0.11 (sub-interface which is of 156kbps)

but the problem is it is taking as a global interface i.e., gig0/0 
instead of sub-interface i.e., gig0/0.11.

And also want to know in policy map, what is the difference between 
bandwidth and police.

thanks in advance.
bye.

From ibrahim.abozaid at gmail.com  Tue Dec 23 05:23:24 2008
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Tue, 23 Dec 2008 12:23:24 +0200
Subject: [c-nsp] MPLS VPN Problem - EoS conflict
Message-ID: <a48927f70812230223i50777198wab11198fc21b8e71@mail.gmail.com>

Hi All


I was implementing MPLS VPN topology and by mistake i was configuring PE-LP
used for MP-BGP peering with a worng mask /24 instead of /32 (remote PE-LP
mask is /32) .


by T.S , i discovered that P router upstream of this PE was dropping
incoming MPLS packets with the below error message

tagsw_replace_header: Pkt drop -- EoS conflict, incg label 18 hwinput Fa0/0

discovering FIB

3#sh mpls forwarding-table | in 18

18     Untagged    150.1.3.3/32      1230       Se0/1      point2point

so when the mask was /24 , PE advertise label as untag label so incoming
traffic over MPLS interface will be conveted to IP traffic and looking up in
LFIB , it will forward it down MPLS interface to PE as native IP packet
while it should MPLS packet with label-3

I need to know why that happens ? , does LDP-Adv tells S-bit setting in
incoming packets according to label type ?

BTW , the problem solved after changing LO mask to /32 and it has been
advertised as Imp-Null

18     Pop tag     150.1.3.3/32      0          Se0/1      point2point


your responses is highly appreciated


best regards
--Ibrahim

From swmike at swm.pp.se  Tue Dec 23 05:35:36 2008
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Tue, 23 Dec 2008 11:35:36 +0100 (CET)
Subject: [c-nsp] MPLS VPN Problem - EoS conflict
In-Reply-To: <a48927f70812230223i50777198wab11198fc21b8e71@mail.gmail.com>
References: <a48927f70812230223i50777198wab11198fc21b8e71@mail.gmail.com>
Message-ID: <alpine.DEB.1.10.0812231133570.17215@uplift.swm.pp.se>

On Tue, 23 Dec 2008, Ibrahim Abo Zaid wrote:

> so when the mask was /24 , PE advertise label as untag label so incoming

In my experience "untagged" means "there is no tag", "pop tag" means "tag 
indicates label should be popped".

So when you had /24 as mask, the proper label wasn't advertised/received.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From erik at infopact.nl  Tue Dec 23 05:37:08 2008
From: erik at infopact.nl (E. Versaevel)
Date: Tue, 23 Dec 2008 11:37:08 +0100
Subject: [c-nsp] MPLS VPN Problem - EoS conflict
In-Reply-To: <a48927f70812230223i50777198wab11198fc21b8e71@mail.gmail.com>
References: <a48927f70812230223i50777198wab11198fc21b8e71@mail.gmail.com>
Message-ID: <4950BF54.80502@infopact.nl>

>From RFC 3032:
          iv. A value of 3 represents the "Implicit NULL Label".  This
              is a label that an LSR may assign and distribute, but
              which never actually appears in the encapsulation.  When
              an LSR would otherwise replace the label at the top of the
              stack with a new label, but the new label is "Implicit
              NULL", the LSR will pop the stack instead of doing the
              replacement.  Although this value may never appear in the
              encapsulation, it needs to be specified in the Label
              Distribution Protocol, so a value is reserved.



Ibrahim Abo Zaid schreef:
> Hi All
> 
> 
> I was implementing MPLS VPN topology and by mistake i was configuring PE-LP
> used for MP-BGP peering with a worng mask /24 instead of /32 (remote PE-LP
> mask is /32) .
> 
> 
> by T.S , i discovered that P router upstream of this PE was dropping
> incoming MPLS packets with the below error message
> 
> tagsw_replace_header: Pkt drop -- EoS conflict, incg label 18 hwinput Fa0/0
> 
> discovering FIB
> 
> 3#sh mpls forwarding-table | in 18
> 
> 18     Untagged    150.1.3.3/32      1230       Se0/1      point2point
> 
> so when the mask was /24 , PE advertise label as untag label so incoming
> traffic over MPLS interface will be conveted to IP traffic and looking up in
> LFIB , it will forward it down MPLS interface to PE as native IP packet
> while it should MPLS packet with label-3
> 
> I need to know why that happens ? , does LDP-Adv tells S-bit setting in
> incoming packets according to label type ?
> 
> BTW , the problem solved after changing LO mask to /32 and it has been
> advertised as Imp-Null
> 
> 18     Pop tag     150.1.3.3/32      0          Se0/1      point2point
> 
> 
> your responses is highly appreciated
> 
> 
> best regards
> --Ibrahim
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



Erik Versaevel

From wellknown at gmx.net  Tue Dec 23 05:41:10 2008
From: wellknown at gmx.net (wellknown at gmx.net)
Date: Tue, 23 Dec 2008 11:41:10 +0100
Subject: [c-nsp] 6509 with ws-x6148 or ws-x6348?
Message-ID: <20081223104110.292290@gmx.net>

Hi List,

we bought our first cisco for use at lan-party some days ago and now need 48 port fe modules.

Situation:

Cisco6509 with dual Sup2

Use:

directly connecting all PCs via 10/100 connections in seperated vlans and
Upstream via OSPF and equal cost multipath default routes to two routers via gbit on supervisor.


Can anyone explain the difference between the cards ws-x6148 and ws-x6348? Both are relatively cheap available on the bay. I read about some problems with the x-6348 on the list. Seems that they have same buffer sizes and I am not able to find a difference.


Is the above mentioned a usable configuration for this application?

Is it possible to use all 4 gig ports of the supervisors as equal cost uplinks in parallel or is the second supervisor engine only active as backup?


Ok, hope for reply!

Best regards & merry Christmas!

-Tom

-- 
Sensationsangebot verl?ngert: GMX FreeDSL - Telefonanschluss + DSL 
f?r nur 16,37 Euro/mtl.!* http://dsl.gmx.de/?ac=OM.AD.PD003K1308T4569a

From p.mayers at imperial.ac.uk  Tue Dec 23 05:27:49 2008
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Tue, 23 Dec 2008 10:27:49 +0000
Subject: [c-nsp] Sharing HSRP group numbers across multiple HSRP
	instances
In-Reply-To: <49500F91.8000001@justinshore.com>
References: <494FE823.9060201@justinshore.com>
	<67F7C1FAF83A074AA3520D8F155782A502590449@xmb-ams-331.emea.cisco.com>
	<49500F91.8000001@justinshore.com>
Message-ID: <20081223102749.GA23350@wildfire.net.ic.ac.uk>

On Mon, Dec 22, 2008 at 10:07:13PM +0000, Justin Shore wrote:
>Arie & Christian,
>
>Thanks for the replies.  So re-using HSRP group #s doesn't create any 

Correct, it works fine.

>conflicts?  That's good to know.  It also won't reduce the load?  That's 
>unfortunately.  For some reason I had it in my mind that you could 
>create some sort of collective HSRP instance over a common L2 
>infrastructure that would share hellos and switch as one common unit. 
>It would be list MST for HSRP essentially.

That's the "HSRP multiple group optimisation" which is available on SXI 
and SRsomething, but sadly it supports routed subints on the same master 
physical int *only* - no SVIs:

int Gi1/1.1
  standby name foo
  ! other config
int Gi1/1.2
  standby follow foo
  ! other config

Attempting to configure on SVIs gives some random error message about 
"different physical parent interfaces". I can't see any reason for the 
restriction - I keep meaning to put an RFE in.

From felixnkansah at gmail.com  Tue Dec 23 08:36:13 2008
From: felixnkansah at gmail.com (Felix Nkansah)
Date: Tue, 23 Dec 2008 13:36:13 +0000
Subject: [c-nsp] Configure VPN Client Software to AutomaticallyReconnect?
In-Reply-To: <4288131ED5E3024C9CD4782CECCAD2C7037AFB17@LMC-MAIL2.exempla.org>
References: <18dba4e50812221229o5c5167d5p9647480bc840f5d4@mail.gmail.com>
	<4288131ED5E3024C9CD4782CECCAD2C7037AFB17@LMC-MAIL2.exempla.org>
Message-ID: <18dba4e50812230536o2ed2e2abq3e372804ee893c45@mail.gmail.com>

Hi Mat,
Great document. Really appreciated.

Felix
ccie r&s, security


On Mon, Dec 22, 2008 at 8:46 PM, Matlock, Kenneth L <MatlockK at exempla.org>wrote:

> Looks like this feature has been include in the newer Client versions.
>
> http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn
> _client46/win/user/guide/vc.pdf<http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client46/win/user/guide/vc.pdf>
>
> Search for 'reconnect' in the text.
>
> Not sure what version started including it, but I imagine the newest
> release would have it.
>
> Ken
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Felix Nkansah
> Sent: Monday, December 22, 2008 1:29 PM
> To: The Security Community
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Configure VPN Client Software to
> AutomaticallyReconnect?
>
>

From geoff at pendery.net  Tue Dec 23 09:03:49 2008
From: geoff at pendery.net (Geoffrey Pendery)
Date: Tue, 23 Dec 2008 08:03:49 -0600
Subject: [c-nsp] 6509 with ws-x6148 or ws-x6348?
In-Reply-To: <20081223104110.292290@gmx.net>
References: <20081223104110.292290@gmx.net>
Message-ID: <d6966e4b0812230603t7f683701yc01ce283ed4c40@mail.gmail.com>

Either one should work for your purposes.  Assuming you're talking
WS-X6148-RJ45 and WS-X6348-RJ45, not RJ45V (for PoE) or anything like
that, then as you said the buffers and QoS capabilities are the same.

The uplink ports on the Sups can both be active.  As for how to use
them as uplinks, it depends on the routers you're uplinking to.  If
the routers support Etherchannel/LAGs, you could pair them up and have
a two-gig link to each router, otherwise you can just put four
equal-cost routes in the table and let CEF handle the load-sharing.


-Geoff


On Tue, Dec 23, 2008 at 4:41 AM,  <wellknown at gmx.net> wrote:
> Hi List,
>
> we bought our first cisco for use at lan-party some days ago and now need 48 port fe modules.
>
> Situation:
>
> Cisco6509 with dual Sup2
>
> Use:
>
> directly connecting all PCs via 10/100 connections in seperated vlans and
> Upstream via OSPF and equal cost multipath default routes to two routers via gbit on supervisor.
>
>
> Can anyone explain the difference between the cards ws-x6148 and ws-x6348? Both are relatively cheap available on the bay. I read about some problems with the x-6348 on the list. Seems that they have same buffer sizes and I am not able to find a difference.
>
>
> Is the above mentioned a usable configuration for this application?
>
> Is it possible to use all 4 gig ports of the supervisors as equal cost uplinks in parallel or is the second supervisor engine only active as backup?
>
>
> Ok, hope for reply!
>
> Best regards & merry Christmas!
>
> -Tom
>
> --
> Sensationsangebot verl?ngert: GMX FreeDSL - Telefonanschluss + DSL
> f?r nur 16,37 Euro/mtl.!* http://dsl.gmx.de/?ac=OM.AD.PD003K1308T4569a
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From bwindle at fint.org  Tue Dec 23 09:16:48 2008
From: bwindle at fint.org (Burton Windle)
Date: Tue, 23 Dec 2008 06:16:48 -0800 (PST)
Subject: [c-nsp] Web Application Firewalls (PCI 6.6)
Message-ID: <17c63799a357914d75d1717bcca502c1.squirrel@webmail.fint.org>

I'm looking for reviews and experiences with the various Web Application
Firewalls for compliance with PCI DSS 6.6. I've seen the marketing
presentations by Cisco for their ACE, and with Imperva and F5's ASM, but
am having trouble finding people who've actually used one.

Pretty small setup... pushing ~50mbit of egress traffic, with ~16k
concurrent connections.

Thanks in advance,

Burton


From frnkblk at iname.com  Tue Dec 23 09:25:26 2008
From: frnkblk at iname.com (Frank Bulk)
Date: Tue, 23 Dec 2008 08:25:26 -0600
Subject: [c-nsp] Cisco 2950 oddities with MDI-X and unicast flooding
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADEMkqWLEdrQr3i0yMNCJeFAQAAAAA=@iname.com>

I had a case of unicast flooding that started Thursday morning and all the
technotes I was reading weren't helping me.  Since the Cisco 2950T-24 was up
for over two years and running 12.1(22)EA2, I thought I would upgrade it to
12.1(22)EA11 to match all my other 2950s and reboot.

The upgrade resolved the unicast flooding (can anyone explain how/why that
should be?) but I lost my inter-office transport link on the Fa0/1 (10/100).
The switch said "down" and the transport gear said "down".  Very strange.
Seeing that other switches into this transport gear had cross-over cables, I
snapped in a cross-over cable and voila, the link went up.  Anyone see that
before?  

Frank


From tdurack at gmail.com  Tue Dec 23 09:30:50 2008
From: tdurack at gmail.com (Tim Durack)
Date: Tue, 23 Dec 2008 09:30:50 -0500
Subject: [c-nsp] Sharing HSRP group numbers across multiple HSRP
	instances
In-Reply-To: <20081223102749.GA23350@wildfire.net.ic.ac.uk>
References: <494FE823.9060201@justinshore.com>
	<67F7C1FAF83A074AA3520D8F155782A502590449@xmb-ams-331.emea.cisco.com>
	<49500F91.8000001@justinshore.com>
	<20081223102749.GA23350@wildfire.net.ic.ac.uk>
Message-ID: <9e246b4d0812230630u6a8ccbf8pbc1c28159db5fc7@mail.gmail.com>

On Tue, Dec 23, 2008 at 5:27 AM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On Mon, Dec 22, 2008 at 10:07:13PM +0000, Justin Shore wrote:
>>
>> Arie & Christian,
>>
>> Thanks for the replies.  So re-using HSRP group #s doesn't create any
>
> Correct, it works fine.
>
>> conflicts?  That's good to know.  It also won't reduce the load?  That's
>> unfortunately.  For some reason I had it in my mind that you could create
>> some sort of collective HSRP instance over a common L2 infrastructure that
>> would share hellos and switch as one common unit. It would be list MST for
>> HSRP essentially.
>
> That's the "HSRP multiple group optimisation" which is available on SXI and
> SRsomething, but sadly it supports routed subints on the same master
> physical int *only* - no SVIs:
>
> int Gi1/1.1
>  standby name foo
>  ! other config
> int Gi1/1.2
>  standby follow foo
>  ! other config
>
> Attempting to configure on SVIs gives some random error message about
> "different physical parent interfaces". I can't see any reason for the
> restriction - I keep meaning to put an RFE in.

Why would you expect it to work on an SVI? Nothing else does...

After discovering this we put in a feature request. Not expecting it
to go anywhere though.

Tim:>

From ray at oneunified.net  Tue Dec 23 09:31:31 2008
From: ray at oneunified.net (Ray Burkholder)
Date: Tue, 23 Dec 2008 10:31:31 -0400
Subject: [c-nsp] IOS IDS Signature Updates, still NIL
In-Reply-To: <4923D373.6050508@indo.net.id>
References: <4923BFD5.2090904@fnbs.net> <4923D373.6050508@indo.net.id>
Message-ID: <083d01c9650b$271fc950$755f5bf0$@net>

Some time ago, there was mention that the IOS IPS Version 5 signatures would
be updated 'in a few days'.  There have been many many 'a few days' come and
gone.  I was wondering if anyone had any progress report on this.  The IOS
IPS signatures are about two (2) months out of date now.


-- 
Scanned for viruses and dangerous content at 
http://www.oneunified.net and is believed to be clean.


From braaen at zcorum.com  Tue Dec 23 09:57:46 2008
From: braaen at zcorum.com (Brian Raaen)
Date: Tue, 23 Dec 2008 09:57:46 -0500
Subject: [c-nsp] Ways to Log IRB DHCP Leases
Message-ID: <200812230957.47438.braaen@zcorum.com>

I am looking for a way that I can do logging for an IRB based DSL network.  
Currently the router is handing out DHCP, but I am wanting to move it to an 
external DHCP server.  I am wanting to know is IRB supports any type of 
option 82 DHCP headers that can be used to log circuit information.  I am 
unable to convert this part of the network to RBE since they are using 
integrated set-top boxes on a Motorola Nextlevel based system.


----------------------

Brian Raaen
Network Engineer
braaen at zcorum.com


From chris at chrisserafin.com  Tue Dec 23 11:07:46 2008
From: chris at chrisserafin.com (ChrisSerafin)
Date: Tue, 23 Dec 2008 10:07:46 -0600
Subject: [c-nsp] PIX - ISAKMP Policy Disappearing
Message-ID: <49510CD2.9020607@chrisserafin.com>

I'm trying to add/modify an isakmp policy map to match a remote VPN 
peer, and it keep deleting itself! :)

Here is the config:

! this section adds fine
access-list 100 permit ip any 172.25.101.0 255.255.255.0
access-list TO_RKON permit ip any 172.25.101.0 255.255.255.0
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map MAP 40 ipsec-isakmp
crypto map MAP 40 match address TO_RKON
crypto map MAP 40 set peer x.x.x.x
crypto map MAP 40 set transform-set ESP-3DES-MD5
isakmp key xxxxxx address x.x.x.x netmask 255.255.255.255 no-xauth 
no-config-mode

! this section keeps deleting itself after changing the authentication 
to PSK.
isakmp policy 40 authentication pre-share !as soon as I add this, policy 
40 deletes itself.
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400

It doesn't matter, but the remote end is a Netscreen and a VPN WAS 
established just fine, but I'm 'breaking' it to expand the encrypted 
traffic traversing the VPN tunnel.When doing a 'sh crypto ipsec sa' I 
see that there are IPSEC SA's established for the OLD phase 2 networks 
(proxy ids in Netscreen). Maybe clear the crypto sa's? See below.

ELM-xxx(config)# sh cry isa sa
Total     : 3
Embryonic : 0
       dst               src        state     pending     created
   my.firewall  re.mo.t.e    QM_IDLE         0           1

ELM-xxx(config)# sh cry ips sa


interface: outside



  local  ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
  remote ident (addr/mask/prot/port): (172.25.101.0/255.255.255.0/0/0)
  current_peer: 205.234.155.253:500
    PERMIT, flags={}
   #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
   #pkts decaps: 3273, #pkts decrypt: 3273, #pkts verify 3273
   #pkts compressed: 0, #pkts decompressed: 0
   #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress 
failed: 0
   #send errors 0, #recv errors 0

    local crypto endpt.: 65.166.255.1, remote crypto endpt.: 
205.234.155.253
    path mtu 1500, ipsec overhead 56, media mtu 1500
    current outbound spi: 27954c37

    inbound esp sas:
     spi: 0x55528ec4(1431473860)
       transform: esp-3des esp-md5-hmac ,
       in use settings ={Tunnel, }
       slot: 0, conn id: 10, crypto map: MAP
       sa timing: remaining key lifetime (k/sec): (4607643/446)
       IV size: 8 bytes
       replay detection support: Y


    inbound ah sas:


    inbound pcp sas:


    outbound esp sas:
     spi: 0x27954c37(664095799)
       transform: esp-3des esp-md5-hmac ,
       in use settings ={Tunnel, }
       slot: 0, conn id: 9, crypto map: MAP
       sa timing: remaining key lifetime (k/sec): (4608000/452)
       IV size: 8 bytes
       replay detection support: Y


    outbound ah sas:


    outbound pcp sas:



All comments welcome,
Chris Serafin
chris at chrisserafin.com






From petelists at templin.org  Tue Dec 23 11:45:53 2008
From: petelists at templin.org (Pete Templin)
Date: Tue, 23 Dec 2008 10:45:53 -0600
Subject: [c-nsp] 6509 with ws-x6148 or ws-x6348?
In-Reply-To: <20081223104110.292290@gmx.net>
References: <20081223104110.292290@gmx.net>
Message-ID: <495115C1.10507@templin.org>

wellknown at gmx.net wrote:

> Can anyone explain the difference between the cards ws-x6148 and
> ws-x6348? Both are relatively cheap available on the bay. I read
> about some problems with the x-6348 on the list. Seems that they have
> same buffer sizes and I am not able to find a difference.

I have some ws-x6248 (48 port 10/100 copper FE), some ws-x6348 (48 port 
10/100 copper FE), and some ws-x6148A (48 port 10/100/1000 copper GE). 
Admittedly I don't have any 6148 10/100 cards as a direct comparison.

We've now declared the 6348s as infrastructure only, due to packet loss. 
  In an application where we're using it for customers rate-limited to 
10Mbps (or lower) or committing to 10Mbps (or lower), it's theoretically 
<10% loaded and still dropping packets.  6248s were already on their way 
out, due to less (if any) QoS support.

The 6148As are "wiring closet" cards, limited to 6Gbps total and 1Gbps 
per 8 ports.  I believe this also precludes any >1Gbps EtherChannels, 
but we haven't gone there.  For our uses, a SIGNIFICANT boost over the 
6348s.

pt

From aman.chugh at gmail.com  Tue Dec 23 12:37:27 2008
From: aman.chugh at gmail.com (Aman Chugh)
Date: Tue, 23 Dec 2008 23:07:27 +0530
Subject: [c-nsp] Lab Tool
Message-ID: <d4c697ad0812230937n45c8c340i18e70ce62f84a690@mail.gmail.com>

Hello List,

I am looking for a tool for consolidating all my devices in my lab in
differrent racks and which should act like a database of all my devices with
infomation about the IOS code and software running on these devices, plus
the ability to telnet to the device from a webpage. Please let me know some
tools either free or $ which can be used for this purpose.

TIA

Aman

From geoff at pendery.net  Tue Dec 23 12:43:57 2008
From: geoff at pendery.net (Geoffrey Pendery)
Date: Tue, 23 Dec 2008 11:43:57 -0600
Subject: [c-nsp] 6509 with ws-x6148 or ws-x6348?
In-Reply-To: <495115C1.10507@templin.org>
References: <20081223104110.292290@gmx.net> <495115C1.10507@templin.org>
Message-ID: <d6966e4b0812230943w96e984lec03bcf86e90646d@mail.gmail.com>

Just to clarify that, the 6148A is the newer/better version of the
6148, not just the GE version.  The term after the number tells the
speed:
WS-X6148A-GE-TX - new 10/100/1000
WS-X6148A-RJ-45 - new 10/100
WS-X6148-RJ45 - old 10/100

The 6148 vs 6348 vs 6548 vs 6748 distinction is more about the
forwarding technology (classic bus, CEF256, CEF720)
However, both 6148 and 6348 are classic bus with no fabric, and I'm
having trouble finding the distinction between them.

According to Cisco:
http://www.cisco.com/en/US/products/hw/switches/ps700/products_configuration_example09186a0080118a5c.shtml
"Each WS-X6348 card is controlled by a single Application-Specific
Integrated Circuit (ASIC) that connects the module to both the 32 GB
data bus backplane of the switch and to a set of four other ASICs
which controls groups of 12 10/100 ports."

I can't find a similar document on the 6148, but I wouldn't expect it
to perform better (6148A however is much better but also newer and
thus probably more expensive "on the bay")

There's limitations on the ASICs, the backplane bus, and the
Supervisor, but I wouldn't expect them to be a problem for a
LAN-party.  Just as he mentioned, don't expect to drive a full 100
Mbps to each port all the time.


-Geoff


On Tue, Dec 23, 2008 at 10:45 AM, Pete Templin <petelists at templin.org> wrote:
> wellknown at gmx.net wrote:
>
>> Can anyone explain the difference between the cards ws-x6148 and
>> ws-x6348? Both are relatively cheap available on the bay. I read
>> about some problems with the x-6348 on the list. Seems that they have
>> same buffer sizes and I am not able to find a difference.
>
> I have some ws-x6248 (48 port 10/100 copper FE), some ws-x6348 (48 port
> 10/100 copper FE), and some ws-x6148A (48 port 10/100/1000 copper GE).
> Admittedly I don't have any 6148 10/100 cards as a direct comparison.
>
> We've now declared the 6348s as infrastructure only, due to packet loss.  In
> an application where we're using it for customers rate-limited to 10Mbps (or
> lower) or committing to 10Mbps (or lower), it's theoretically <10% loaded
> and still dropping packets.  6248s were already on their way out, due to
> less (if any) QoS support.
>
> The 6148As are "wiring closet" cards, limited to 6Gbps total and 1Gbps per 8
> ports.  I believe this also precludes any >1Gbps EtherChannels, but we
> haven't gone there.  For our uses, a SIGNIFICANT boost over the 6348s.
>
> pt
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From tdurack at gmail.com  Tue Dec 23 13:12:56 2008
From: tdurack at gmail.com (Tim Durack)
Date: Tue, 23 Dec 2008 13:12:56 -0500
Subject: [c-nsp] MPLS-VPN migration
In-Reply-To: <00d101c961a8$a6858ce0$f390a6a0$@id.au>
References: <9e246b4d0812170754y464d5aabmcda35c45948b3c65@mail.gmail.com>
	<01d401c960e8$6bc17710$43446530$@id.au>
	<00d101c961a8$a6858ce0$f390a6a0$@id.au>
Message-ID: <9e246b4d0812231012r4910467dp472a53048b63355a@mail.gmail.com>

On Fri, Dec 19, 2008 at 2:08 AM, Aaron Daniels - Lists
<lists at daniels.id.au> wrote:
> I have had a few requests for this so I thought i'd put it on-list.
>
> Thanks,
> Aaron Daniels
>
>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
>> bounces at puck.nether.net] On Behalf Of Aaron Daniels - Lists
>> Sent: Thursday, 18 December 2008 6:13 PM
>> To: 'Tim Durack'; cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] MPLS-VPN migration
>>
>> We just tackled this one in our organisation.
>>
>> 2 Gotchas.
>>
>> 1. Router-id must be different between peers, make sure your code
>> supports
>> vrf specific router-id.
>> 2. iBGP was very messy IMHO, so we went with eBGP using local-as to
>> have
>> each vrf appear to be a different 65xxx AS
>>
>> I can sent you my lab config's tomorrow.
>>
>> Thanks,
>> Aaron

Thanks for sharing - much appreciated.

I have heard several people say an iBGP version is messy. What is the
difference? (I'm not opposed to the eBGP config, just like to know
what both look like.)

Tim:>

From oboehmer at cisco.com  Tue Dec 23 13:47:22 2008
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Tue, 23 Dec 2008 19:47:22 +0100
Subject: [c-nsp] MPLS VPN Problem - EoS conflict
In-Reply-To: <a48927f70812230223i50777198wab11198fc21b8e71@mail.gmail.com>
References: <a48927f70812230223i50777198wab11198fc21b8e71@mail.gmail.com>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED7840699477E@xmb-ams-333.emea.cisco.com>

Ibrahim Abo Zaid <> wrote on Tuesday, December 23, 2008 11:23:

> Hi All
> 
> 
> I was implementing MPLS VPN topology and by mistake i was configuring
> PE-LP used for MP-BGP peering with a worng mask /24 instead of /32
> (remote PE-LP mask is /32) .
> 
> by T.S , i discovered that P router upstream of this PE was dropping
> incoming MPLS packets with the below error message
> 
> tagsw_replace_header: Pkt drop -- EoS conflict, incg label 18 hwinput
> Fa0/0 
> 
> discovering FIB
> 
> 3#sh mpls forwarding-table | in 18
> 
> 18     Untagged    150.1.3.3/32      1230       Se0/1      point2point
> 
> so when the mask was /24 , PE advertise label as untag label so
> incoming traffic over MPLS interface will be conveted to IP traffic
> and looking up in LFIB , it will forward it down MPLS interface to PE
> as native IP packet while it should MPLS packet with label-3

Hmm, the above LFIB shows /32, but you said you configured it as /24?
Are you running OSPF? I guess this would explain it: OSPF advertises
loopbacks with a /32, so remote routers installed the /32, but the local
router installed the connected route with a /24 and advertised an
imp-null for it. No LIB entry existed for the /32, hence the
"untagged"..

	oli

From paul at paulstewart.org  Tue Dec 23 14:05:14 2008
From: paul at paulstewart.org (Paul Stewart)
Date: Tue, 23 Dec 2008 14:05:14 -0500
Subject: [c-nsp] 6509 with ws-x6148 or ws-x6348?
In-Reply-To: <d6966e4b0812230943w96e984lec03bcf86e90646d@mail.gmail.com>
References: <20081223104110.292290@gmx.net> <495115C1.10507@templin.org>
	<d6966e4b0812230943w96e984lec03bcf86e90646d@mail.gmail.com>
Message-ID: <047401c96531$69a2a740$3ce7f5c0$@org>

For a LAN party though, throughput shouldn't really matter that much....
you're using a Cisco switch which is MUCH better than any LAN party I've
seen.  The last one I went to had several hundred computers connected on
Dlink crap.... that didn't work so good..;)

When you figure 100-150Kbps on some games I have played, it's more about
latency and consistency which with a class 6148 I can't see a reason for any
problems...

Paul


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Geoffrey Pendery
Sent: December 23, 2008 12:44 PM
To: Pete Templin
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 6509 with ws-x6148 or ws-x6348?

Just to clarify that, the 6148A is the newer/better version of the
6148, not just the GE version.  The term after the number tells the
speed:
WS-X6148A-GE-TX - new 10/100/1000
WS-X6148A-RJ-45 - new 10/100
WS-X6148-RJ45 - old 10/100

The 6148 vs 6348 vs 6548 vs 6748 distinction is more about the
forwarding technology (classic bus, CEF256, CEF720)
However, both 6148 and 6348 are classic bus with no fabric, and I'm
having trouble finding the distinction between them.

According to Cisco:
http://www.cisco.com/en/US/products/hw/switches/ps700/products_configuration
_example09186a0080118a5c.shtml
"Each WS-X6348 card is controlled by a single Application-Specific
Integrated Circuit (ASIC) that connects the module to both the 32 GB
data bus backplane of the switch and to a set of four other ASICs
which controls groups of 12 10/100 ports."

I can't find a similar document on the 6148, but I wouldn't expect it
to perform better (6148A however is much better but also newer and
thus probably more expensive "on the bay")

There's limitations on the ASICs, the backplane bus, and the
Supervisor, but I wouldn't expect them to be a problem for a
LAN-party.  Just as he mentioned, don't expect to drive a full 100
Mbps to each port all the time.


-Geoff


On Tue, Dec 23, 2008 at 10:45 AM, Pete Templin <petelists at templin.org>
wrote:
> wellknown at gmx.net wrote:
>
>> Can anyone explain the difference between the cards ws-x6148 and
>> ws-x6348? Both are relatively cheap available on the bay. I read
>> about some problems with the x-6348 on the list. Seems that they have
>> same buffer sizes and I am not able to find a difference.
>
> I have some ws-x6248 (48 port 10/100 copper FE), some ws-x6348 (48 port
> 10/100 copper FE), and some ws-x6148A (48 port 10/100/1000 copper GE).
> Admittedly I don't have any 6148 10/100 cards as a direct comparison.
>
> We've now declared the 6348s as infrastructure only, due to packet loss.
In
> an application where we're using it for customers rate-limited to 10Mbps
(or
> lower) or committing to 10Mbps (or lower), it's theoretically <10% loaded
> and still dropping packets.  6248s were already on their way out, due to
> less (if any) QoS support.
>
> The 6148As are "wiring closet" cards, limited to 6Gbps total and 1Gbps per
8
> ports.  I believe this also precludes any >1Gbps EtherChannels, but we
> haven't gone there.  For our uses, a SIGNIFICANT boost over the 6348s.
>
> pt
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



From nasir.shaikh at bt.com  Tue Dec 23 14:16:16 2008
From: nasir.shaikh at bt.com (nasir.shaikh at bt.com)
Date: Tue, 23 Dec 2008 19:16:16 -0000
Subject: [c-nsp] Strange IPSec problem
Message-ID: <2B0ABDF9E4A1204AA7467F20075354560700F72B@E03MVZ4-UKDY.domain1.systemhost.net>

Hi,
I have an Ipsec tunnel established between a 871 on the remote end and a
2811 on the central side. There are several other remote sites all
connecting to the same central router. All IPSec tunnels are active.
>From this particular router I can ping servers/hosts on the central site
without any problems. However, from a host (laptop) directly connected
to the 871 there are strange problems.
When doing a ping to a host it does not work.
Next a traceroute is done to the host which is successful.
Subsequent ping to the same host is successful.

Same is true the other way around:
>From a server on the central site a ping to the laptop fails.
A traceroute afterwards is successful.
Subsequent pings are successful.

Again, when doing pings from the router itself (using the LAN interface
as source) there are no connectivity problems.
Encryption / decryption counters are equal. There is no personal
firewall running on the laptop.

Anyone come across this issue?

Regards

Nas

From swmike at swm.pp.se  Tue Dec 23 15:50:17 2008
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Tue, 23 Dec 2008 21:50:17 +0100 (CET)
Subject: [c-nsp] 6509 with ws-x6148 or ws-x6348?
In-Reply-To: <047401c96531$69a2a740$3ce7f5c0$@org>
References: <20081223104110.292290@gmx.net> <495115C1.10507@templin.org>
	<d6966e4b0812230943w96e984lec03bcf86e90646d@mail.gmail.com>
	<047401c96531$69a2a740$3ce7f5c0$@org>
Message-ID: <alpine.DEB.1.10.0812232148040.17215@uplift.swm.pp.se>

On Tue, 23 Dec 2008, Paul Stewart wrote:

> For a LAN party though, throughput shouldn't really matter that much....
> you're using a Cisco switch which is MUCH better than any LAN party I've
> seen.  The last one I went to had several hundred computers connected on
> Dlink crap.... that didn't work so good..;)

Guess it all matters what kind of LAN parties we're talking about. There 
are the ones with 10k computers that have CRS-1 as core and Sup720 with 
10GE as distribution, pushing 20+ gigabit/s of Internet bw (over OC768 
IPoDWDM uplink card), then I guess there are the ones you're talking 
about.

So I would be dismissing need because it's a "LAN party" without knowing 
more about what scale we're talking.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From tvarriale at comcast.net  Tue Dec 23 18:27:08 2008
From: tvarriale at comcast.net (Tony Varriale)
Date: Tue, 23 Dec 2008 17:27:08 -0600
Subject: [c-nsp] Cisco 2950 oddities with MDI-X and unicast flooding
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAADEMkqWLEdrQr3i0yMNCJeFAQAAAAA=@iname.com>
Message-ID: <FBE39820FDE14DC8A63FF67E1E8E73AE@flamdt1>

AFAIK 2950 does not support auto mdix.

tv
----- Original Message ----- 
From: "Frank Bulk" <frnkblk at iname.com>
To: <cisco-nsp at puck.nether.net>
Sent: Tuesday, December 23, 2008 8:25 AM
Subject: [c-nsp] Cisco 2950 oddities with MDI-X and unicast flooding


>I had a case of unicast flooding that started Thursday morning and all the
> technotes I was reading weren't helping me.  Since the Cisco 2950T-24 was 
> up
> for over two years and running 12.1(22)EA2, I thought I would upgrade it 
> to
> 12.1(22)EA11 to match all my other 2950s and reboot.
>
> The upgrade resolved the unicast flooding (can anyone explain how/why that
> should be?) but I lost my inter-office transport link on the Fa0/1 
> (10/100).
> The switch said "down" and the transport gear said "down".  Very strange.
> Seeing that other switches into this transport gear had cross-over cables, 
> I
> snapped in a cross-over cable and voila, the link went up.  Anyone see 
> that
> before?
>
> Frank
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From justin at justinshore.com  Tue Dec 23 18:35:04 2008
From: justin at justinshore.com (Justin Shore)
Date: Tue, 23 Dec 2008 17:35:04 -0600
Subject: [c-nsp] Sharing HSRP group numbers across multiple HSRP
	instances
In-Reply-To: <20081223102749.GA23350@wildfire.net.ic.ac.uk>
References: <494FE823.9060201@justinshore.com>
	<67F7C1FAF83A074AA3520D8F155782A502590449@xmb-ams-331.emea.cisco.com>
	<49500F91.8000001@justinshore.com>
	<20081223102749.GA23350@wildfire.net.ic.ac.uk>
Message-ID: <495175A8.8010605@justinshore.com>

Phil Mayers wrote:
> That's the "HSRP multiple group optimisation" which is available on SXI 
> and SRsomething, but sadly it supports routed subints on the same master 
> physical int *only* - no SVIs:
> 
> int Gi1/1.1
>  standby name foo
>  ! other config
> int Gi1/1.2
>  standby follow foo
>  ! other config
> 
> Attempting to configure on SVIs gives some random error message about 
> "different physical parent interfaces". I can't see any reason for the 
> restriction - I keep meaning to put an RFE in.

Thanks for the info.  I'll add this to my feature request list right 
behind BFD for SVIs. :-)

Justin

From thilak.t at gmail.com  Wed Dec 24 03:05:40 2008
From: thilak.t at gmail.com (Thilak T)
Date: Wed, 24 Dec 2008 00:05:40 -0800
Subject: [c-nsp] elam packet capture
Message-ID: <1d11fbf80812240005t5c3229c6h2535f39a98bb1e51@mail.gmail.com>

Hello

Can anyone please guide me to understand how to find out physical interface
to DEST_INDEX mapping. I did a elam capture to trave a IP packet going to a
CSS VIP.

RBUS data:
SEQ_NUM                          [5] = 0x17
CCC                              [3] = b100 [L3_RW]
CAP1                             [1] = 0
CAP2                             [1] = 0
QOS                              [3] = 0
EGRESS                           [1] = 0
DT                               [1] = 0 [IP]
TL                               [1] = 0 [B32]
FLOOD                            [1] = 0
*DEST_INDEX                       [19] = 0x2E*
VLAN                             [12] = 250
RBH                              [3] = b010
RDT                              [1] = 0
GENERIC                          [1] = 0
EXTRA_CICLE                      [1] = 0
FABRIC_PRIO                      [1] = 0
L2                               [1] = 0
FCS1                             [8] = 0x1
IP_TOS_VALID                     [1] = 1

From avayner at cisco.com  Wed Dec 24 03:52:00 2008
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Wed, 24 Dec 2008 09:52:00 +0100
Subject: [c-nsp] elam packet capture
In-Reply-To: <1d11fbf80812240005t5c3229c6h2535f39a98bb1e51@mail.gmail.com>
References: <1d11fbf80812240005t5c3229c6h2535f39a98bb1e51@mail.gmail.com>
Message-ID: <67F7C1FAF83A074AA3520D8F155782A502590750@xmb-ams-331.emea.cisco.com>

Thilak,


Try running this command:

Router-sp#test mcast ltl index ef
index 0xEF contain ports 4/48

(in your case change ef with 2e)

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Thilak T
Sent: Wednesday, December 24, 2008 10:06
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] elam packet capture

Hello

Can anyone please guide me to understand how to find out physical
interface
to DEST_INDEX mapping. I did a elam capture to trave a IP packet going
to a
CSS VIP.

RBUS data:
SEQ_NUM                          [5] = 0x17
CCC                              [3] = b100 [L3_RW]
CAP1                             [1] = 0
CAP2                             [1] = 0
QOS                              [3] = 0
EGRESS                           [1] = 0
DT                               [1] = 0 [IP]
TL                               [1] = 0 [B32]
FLOOD                            [1] = 0
*DEST_INDEX                       [19] = 0x2E*
VLAN                             [12] = 250
RBH                              [3] = b010
RDT                              [1] = 0
GENERIC                          [1] = 0
EXTRA_CICLE                      [1] = 0
FABRIC_PRIO                      [1] = 0
L2                               [1] = 0
FCS1                             [8] = 0x1
IP_TOS_VALID                     [1] = 1
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From asturluismi at gmail.com  Wed Dec 24 04:20:38 2008
From: asturluismi at gmail.com (luismi)
Date: Wed, 24 Dec 2008 10:20:38 +0100
Subject: [c-nsp] Lab Tool
In-Reply-To: <d4c697ad0812230937n45c8c340i18e70ce62f84a690@mail.gmail.com>
References: <d4c697ad0812230937n45c8c340i18e70ce62f84a690@mail.gmail.com>
Message-ID: <1230110438.7356.0.camel@dsba-ipso>

http://www.sins.com.au/nmis/

El mar, 23-12-2008 a las 23:07 +0530, Aman Chugh escribi?:
> Hello List,
> 
> I am looking for a tool for consolidating all my devices in my lab in
> differrent racks and which should act like a database of all my devices with
> infomation about the IOS code and software running on these devices, plus
> the ability to telnet to the device from a webpage. Please let me know some
> tools either free or $ which can be used for this purpose.
> 
> TIA
> 
> Aman
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From nick.jon.griffin at gmail.com  Wed Dec 24 11:54:56 2008
From: nick.jon.griffin at gmail.com (Nick Griffin)
Date: Wed, 24 Dec 2008 10:54:56 -0600
Subject: [c-nsp] 6500 and VSS
Message-ID: <a2b352c40812240854n6e511914r35d33edf8df4d4d8@mail.gmail.com>

Looking for some real world input here so coming to the pro's. Anyone using
6500's with VSS implemented? Looking for people's feedback who are using it
in production. I had heard awhile back  that there are issues with support
for ISSU, is this still the case? Just looking for some pro's and con's.

Thanks in advance,

Nick Griffin

From thomas at dupas.be  Wed Dec 24 12:17:04 2008
From: thomas at dupas.be (Thomas Dupas)
Date: Wed, 24 Dec 2008 18:17:04 +0100
Subject: [c-nsp] 6500 and VSS
In-Reply-To: <a2b352c40812240854n6e511914r35d33edf8df4d4d8@mail.gmail.com>
References: <a2b352c40812240854n6e511914r35d33edf8df4d4d8@mail.gmail.com>
Message-ID: <A859D1BA-7FE6-4168-9EF6-8A55A5C2236E@dupas.be>

Issu should be supported in the SXI release, but haven't verified that
yet in real life (no other release yet to upgrade to)

About production experience: no real show-stoppers so far (besides the
upgrade/downtime one, which issu should solve), just remember that
mpls isn't supported (yet?)

Best regards,

Thomas Dupas

On 24-dec-08, at 18:02, "Nick Griffin" <nick.jon.griffin at gmail.com>
wrote:

> Looking for some real world input here so coming to the pro's.
> Anyone using
> 6500's with VSS implemented? Looking for people's feedback who are
> using it
> in production. I had heard awhile back  that there are issues with
> support
> for ISSU, is this still the case? Just looking for some pro's and
> con's.
>
> Thanks in advance,
>
> Nick Griffin
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From thilak.t at gmail.com  Wed Dec 24 13:17:18 2008
From: thilak.t at gmail.com (Thilak T)
Date: Wed, 24 Dec 2008 10:17:18 -0800
Subject: [c-nsp] elam packet capture
In-Reply-To: <67F7C1FAF83A074AA3520D8F155782A502590750@xmb-ams-331.emea.cisco.com>
References: <1d11fbf80812240005t5c3229c6h2535f39a98bb1e51@mail.gmail.com>
	<67F7C1FAF83A074AA3520D8F155782A502590750@xmb-ams-331.emea.cisco.com>
Message-ID: <1d11fbf80812241017n49f77c2o3f48a327349fc3ce@mail.gmail.com>

Thanks for the quick reply. I am running 12.2(18)SXF10a , "test mcast ltl
index " doesn't seem to work.However in this case I could find the interface
number since I know where the was CSS connected. Can you guide me find the
index number someotherway.?


Here is what I did to find out.

bbr00m1#*show tcam interface gigabitEthernet 1/47 qos type1 arp detail*
* Global Defaults not shared
--------------------------------------------------------------
T     - V(Value) M(Mask) R(Result)
A     - ARP Packet
R     - RARP Packet
X     - XTAG
--------------------------------------------------------------
*Interface: 46 *  label: 511   lookup_type: 1  ##### *DEST_INDEX  [19] =
0x2E*  is *Interface: 46 *
protocol: ARP   packet-type: 3
+-+-----+--+-+------------+---------------+
|T|Index|AR|X| Dest Node  |  Source Node  |
+-+-----+--+-+------------+---------------+
 V 36839 -- 0      0      0 <-
 M 36845 -- 0      0      0 <-
 R rslt: 0           <-

On Wed, Dec 24, 2008 at 12:52 AM, Arie Vayner (avayner)
<avayner at cisco.com>wrote:

> Thilak,
>
>
> Try running this command:
>
> Router-sp#test mcast ltl index ef
> index 0xEF contain ports 4/48
>
> (in your case change ef with 2e)
>
> Arie
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Thilak T
> Sent: Wednesday, December 24, 2008 10:06
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] elam packet capture
>
> Hello
>
> Can anyone please guide me to understand how to find out physical
> interface
> to DEST_INDEX mapping. I did a elam capture to trave a IP packet going
> to a
> CSS VIP.
>
> RBUS data:
> SEQ_NUM                          [5] = 0x17
> CCC                              [3] = b100 [L3_RW]
> CAP1                             [1] = 0
> CAP2                             [1] = 0
> QOS                              [3] = 0
> EGRESS                           [1] = 0
> DT                               [1] = 0 [IP]
> TL                               [1] = 0 [B32]
> FLOOD                            [1] = 0
> *DEST_INDEX                       [19] = 0x2E*
> VLAN                             [12] = 250
> RBH                              [3] = b010
> RDT                              [1] = 0
> GENERIC                          [1] = 0
> EXTRA_CICLE                      [1] = 0
> FABRIC_PRIO                      [1] = 0
> L2                               [1] = 0
> FCS1                             [8] = 0x1
> IP_TOS_VALID                     [1] = 1
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From ibrahim.abozaid at gmail.com  Wed Dec 24 14:44:47 2008
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Wed, 24 Dec 2008 21:44:47 +0200
Subject: [c-nsp] MPLS Label question
Message-ID: <a48927f70812241144n1d476785t8db7d24e73ab0028@mail.gmail.com>

Hi All


MPLS Lable Untag removes all labels from MPLS packets and sent it as native
IP packet


my question is packets with untag label will be sent over IP interface not
MPLS interface and FIB lookup occur prefixes with this tag ?


best regards
--Ibrahim

From nicotine at warningg.com  Wed Dec 24 13:43:33 2008
From: nicotine at warningg.com (Brandon Ewing)
Date: Wed, 24 Dec 2008 12:43:33 -0600
Subject: [c-nsp] 32 bit ASN
In-Reply-To: <9F66B1E4971A064794AF6AB952A3ADDD054C588A@VTSVEXCH01.versatel.local>
References: <9F66B1E4971A064794AF6AB952A3ADDD054C588A@VTSVEXCH01.versatel.local>
Message-ID: <20081224184333.GF18899@biological.warningg.com>

On Thu, Dec 18, 2008 at 11:55:01AM +0100, Marcus.Gerdon wrote:
> Hi @All,
> 
> what information I got regarding AS32 is somewhat worrysome:
> 
> 12.0(32)S12		Q4/2008
> 	for 72 & GSR
> 

12.0(32)S12 is out as of yesterday with support for 4-byte AS on GRP and PRP
http://www.cisco.com/en/US/docs/ios/12_0s/release/ntes/120SNEWF.html#wp3521658

I loaded it on a test router yesterday -- I immediately ran into the 
issue discussed last week on NANOG:

http://markmail.org/message/3ofvjyggayfxezna

-- 
Brandon Ewing                                        (nicotine at warningg.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081224/4d8fe6a4/attachment.bin>

From adriankok2000 at yahoo.com.hk  Wed Dec 24 14:33:00 2008
From: adriankok2000 at yahoo.com.hk (adrian kok)
Date: Thu, 25 Dec 2008 03:33:00 +0800 (CST)
Subject: [c-nsp] ASA question
Message-ID: <262809.19185.qm@web33307.mail.mud.yahoo.com>

Hi 

How can I empty the cache in ASA?

I transfer the ip from one server to other server, but
the ASA is still only reconizing in the old server

Thank you


Send instant messages to your online friends http://uk.messenger.yahoo.com 

From gkg at gmx.de  Wed Dec 24 15:48:45 2008
From: gkg at gmx.de (Garry)
Date: Wed, 24 Dec 2008 21:48:45 +0100
Subject: [c-nsp] ASA question
In-Reply-To: <262809.19185.qm@web33307.mail.mud.yahoo.com>
References: <262809.19185.qm@web33307.mail.mud.yahoo.com>
Message-ID: <4952A02D.7080309@gmx.de>

adrian kok wrote:
> Hi 
> 
> How can I empty the cache in ASA?

Do you mean ARP cache? Have you tried "clear arp"?

-garry

From vijay.ramcharan at verizonbusiness.com  Wed Dec 24 15:40:53 2008
From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A)
Date: Wed, 24 Dec 2008 20:40:53 +0000
Subject: [c-nsp] IPSec L2L tunnel - traffic from IVRF to other VRFs
In-Reply-To: <67F7C1FAF83A074AA3520D8F155782A502590750@xmb-ams-331.emea.cisco.com>
References: <1d11fbf80812240005t5c3229c6h2535f39a98bb1e51@mail.gmail.com>
	<67F7C1FAF83A074AA3520D8F155782A502590750@xmb-ams-331.emea.cisco.com>
Message-ID: <A34003A5232DE744807D94D788E0751A7AC4D4@ASHEVS011.mcilink.com>

I've read the doc at
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_vrf
_aware_ipsec_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1027
175 and ignoring the restriction about mapping VRF to VRF traffic have
tried (unsuccessfully) to circumvent this restriction. 

Is it at all possible to terminate an IPSec L2L tunnel in VRF A and then
have traffic exit that VRF A to reach resources located in VRF B or
possibly the global routing table? 

I see the security implications naturally of allowing traffic from
remote sites to leak across VRFs but if it's not possible then is there
some way of providing a "central service" type of resource to a bunch of
different sites (assume each site goes into a different VRF) which
connect to that resource via IPSec tunnels? 
 
[Site A]---IPSec tunnel over Internet---[Hub Router--VRF A--]
						|
						[VRF B]
						|
					(Central Service) 
 
Vijay Ramcharan 

From dcp at dcptech.com  Wed Dec 24 16:30:55 2008
From: dcp at dcptech.com (David Prall)
Date: Wed, 24 Dec 2008 16:30:55 -0500
Subject: [c-nsp] IPSec L2L tunnel - traffic from IVRF to other VRFs
In-Reply-To: <A34003A5232DE744807D94D788E0751A7AC4D4@ASHEVS011.mcilink.com>
References: <1d11fbf80812240005t5c3229c6h2535f39a98bb1e51@mail.gmail.com>	<67F7C1FAF83A074AA3520D8F155782A502590750@xmb-ams-331.emea.cisco.com>
	<A34003A5232DE744807D94D788E0751A7AC4D4@ASHEVS011.mcilink.com>
Message-ID: <002c01c9660e$ebd17d80$c3747880$@com>

Give each VRF a rd, and do an import/export of that rd. Configure BGP, don't
even need to use it as your routing protocol. Each VRF should automagically
have the address family configured. Now under the ip vrf configuration
import the other VRF's rd. Now you have reachability at one location.
Another solution is to create a static route and point it at the physical
interface of the other VRF. You'll need to do this in both directions. 

David

--
http://dcp.dcptech.com
 

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Ramcharan, Vijay A
> Sent: Wednesday, December 24, 2008 3:41 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] IPSec L2L tunnel - traffic from IVRF to other VRFs
> 
> I've read the doc at
> http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_vr
> f
> _aware_ipsec_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp102
> 7
> 175 and ignoring the restriction about mapping VRF to VRF traffic have
> tried (unsuccessfully) to circumvent this restriction.
> 
> Is it at all possible to terminate an IPSec L2L tunnel in VRF A and
> then
> have traffic exit that VRF A to reach resources located in VRF B or
> possibly the global routing table?
> 
> I see the security implications naturally of allowing traffic from
> remote sites to leak across VRFs but if it's not possible then is there
> some way of providing a "central service" type of resource to a bunch
> of
> different sites (assume each site goes into a different VRF) which
> connect to that resource via IPSec tunnels?
> 
> [Site A]---IPSec tunnel over Internet---[Hub Router--VRF A--]
> 						|
> 						[VRF B]
> 						|
> 					(Central Service)
> 
> Vijay Ramcharan
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From largent at ai.net  Wed Dec 24 16:16:49 2008
From: largent at ai.net (L'argent)
Date: Wed, 24 Dec 2008 16:16:49 -0500
Subject: [c-nsp] Small IAD - Voip to PRI
Message-ID: <4952A6C1.2060708@ai.net>


I'm looking for a small box, pref Cisco, that will take 23 channels of 
VOIP and hand it off as a PRI suitable for use in a Norstar/Meridian 
phone system. [transparent SIP gateway basically -- pass through caller 
id/name/etc] I believe a ISR 1841 can do it, but I'm not 100%.

Anyone been here/done that?

thanks,

LA

From jay at west.net  Wed Dec 24 17:08:07 2008
From: jay at west.net (Jay Hennigan)
Date: Wed, 24 Dec 2008 14:08:07 -0800
Subject: [c-nsp] Small IAD - Voip to PRI
In-Reply-To: <4952A6C1.2060708@ai.net>
References: <4952A6C1.2060708@ai.net>
Message-ID: <4952B2C7.5050502@west.net>

L'argent wrote:
> 
> I'm looking for a small box, pref Cisco, that will take 23 channels of 
> VOIP and hand it off as a PRI suitable for use in a Norstar/Meridian 
> phone system. [transparent SIP gateway basically -- pass through caller 
> id/name/etc] I believe a ISR 1841 can do it, but I'm not 100%.
> 
> Anyone been here/done that?

Not Cisco, but the Adtran TA904 will do that just fine, assuming SIP 
signaling on the VoIP side.  If you need SCCP for interoperability with 
Cisco, you'll need Cisco gear.

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

From jackson.tim at gmail.com  Wed Dec 24 18:04:28 2008
From: jackson.tim at gmail.com (Tim Jackson)
Date: Wed, 24 Dec 2008 17:04:28 -0600
Subject: [c-nsp] Small IAD - Voip to PRI
In-Reply-To: <4952A6C1.2060708@ai.net>
References: <4952A6C1.2060708@ai.net>
Message-ID: <4407932e0812241504u1937364ak217eb698327f72c0@mail.gmail.com>

IAD-2431-2T1E1... Has 2xFE 2xT1 can do all sorts of stuff.. Works
great for this...

--
Tim

On 12/24/08, L'argent <largent at ai.net> wrote:
>
> I'm looking for a small box, pref Cisco, that will take 23 channels of
> VOIP and hand it off as a PRI suitable for use in a Norstar/Meridian
> phone system. [transparent SIP gateway basically -- pass through caller
> id/name/etc] I believe a ISR 1841 can do it, but I'm not 100%.
>
> Anyone been here/done that?
>
> thanks,
>
> LA
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

-- 
Sent from my mobile device

From Moens at carrier2carrier.com  Wed Dec 24 18:31:03 2008
From: Moens at carrier2carrier.com (Martin Moens)
Date: Thu, 25 Dec 2008 00:31:03 +0100
Subject: [c-nsp] Small IAD - Voip to PRI
In-Reply-To: <4952A6C1.2060708@ai.net>
Message-ID: <42F0C766A9A8DB47B5E86CA64738DC8B01905DC7@bilbo.bdhz.c2c.local>

1841 doesn't do voice. (It has no DSP's) 
28xx surely will do the trick, and also 2600XM with NM-HDV2-1T1/E1.

Martin


On Wednesday, 24 December, 2008 22:17 L'argent <> wrote:

> I'm looking for a small box, pref Cisco, that will take 23 channels of
> VOIP and hand it off as a PRI suitable for use in a Norstar/Meridian
> phone system. [transparent SIP gateway basically -- pass through
> caller id/name/etc] I believe a ISR 1841 can do it, but I'm not 100%.
> 
> Anyone been here/done that?
> 
> thanks,
> 
> LA
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From dwinkworth at att.net  Wed Dec 24 17:58:31 2008
From: dwinkworth at att.net (Derick Winkworth)
Date: Wed, 24 Dec 2008 14:58:31 -0800 (PST)
Subject: [c-nsp] IPSec L2L tunnel - traffic from IVRF to other VRFs
Message-ID: <702232.17135.qm@web180014.mail.gq1.yahoo.com>

If security is an issue, put any old router in that will do VRFs and configure it with IOS FW or ACLs...  You can put an IOS FW "on a stick" with VLAN's going to it...

Or put an actual firewall in place...




________________________________
From: "Ramcharan, Vijay A" <vijay.ramcharan at verizonbusiness.com>
To: cisco-nsp at puck.nether.net
Sent: Wednesday, December 24, 2008 2:40:53 PM
Subject: [c-nsp] IPSec L2L tunnel - traffic from IVRF to other VRFs

I've read the doc at
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_vrf
_aware_ipsec_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1027
175 and ignoring the restriction about mapping VRF to VRF traffic have
tried (unsuccessfully) to circumvent this restriction. 

Is it at all possible to terminate an IPSec L2L tunnel in VRF A and then
have traffic exit that VRF A to reach resources located in VRF B or
possibly the global routing table? 

I see the security implications naturally of allowing traffic from
remote sites to leak across VRFs but if it's not possible then is there
some way of providing a "central service" type of resource to a bunch of
different sites (assume each site goes into a different VRF) which
connect to that resource via IPSec tunnels? 

[Site A]---IPSec tunnel over Internet---[Hub Router--VRF A--]
                        |
                        [VRF B]
                        |
                    (Central Service) 

Vijay Ramcharan 
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From dwinkworth at att.net  Wed Dec 24 19:22:02 2008
From: dwinkworth at att.net (Derick Winkworth)
Date: Wed, 24 Dec 2008 18:22:02 -0600
Subject: [c-nsp] IPSec L2L tunnel - traffic from IVRF to other VRFs
In-Reply-To: <702232.17135.qm@web180014.mail.gq1.yahoo.com>
References: <702232.17135.qm@web180014.mail.gq1.yahoo.com>
Message-ID: <4952D22A.30400@att.net>

I stated that wrong, the old router does not need to do VRFs...

It just needs to do VLAN's. 

Derick Winkworth wrote:
> If security is an issue, put any old router in that will do VRFs and configure it with IOS FW or ACLs...  You can put an IOS FW "on a stick" with VLAN's going to it...
>
> Or put an actual firewall in place...
>
>
>
>
> ________________________________
> From: "Ramcharan, Vijay A" <vijay.ramcharan at verizonbusiness.com>
> To: cisco-nsp at puck.nether.net
> Sent: Wednesday, December 24, 2008 2:40:53 PM
> Subject: [c-nsp] IPSec L2L tunnel - traffic from IVRF to other VRFs
>
> I've read the doc at
> http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_vrf
> _aware_ipsec_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1027
> 175 and ignoring the restriction about mapping VRF to VRF traffic have
> tried (unsuccessfully) to circumvent this restriction. 
>
> Is it at all possible to terminate an IPSec L2L tunnel in VRF A and then
> have traffic exit that VRF A to reach resources located in VRF B or
> possibly the global routing table? 
>
> I see the security implications naturally of allowing traffic from
> remote sites to leak across VRFs but if it's not possible then is there
> some way of providing a "central service" type of resource to a bunch of
> different sites (assume each site goes into a different VRF) which
> connect to that resource via IPSec tunnels? 
>
> [Site A]---IPSec tunnel over Internet---[Hub Router--VRF A--]
>                         |
>                         [VRF B]
>                         |
>                     (Central Service) 
>
> Vijay Ramcharan 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com 
> Version: 8.0.176 / Virus Database: 270.10.0/1863 - Release Date: 12/24/2008 11:49 AM
>
>   

From stig.johansen at ementor.no  Wed Dec 24 19:23:08 2008
From: stig.johansen at ementor.no (Stig Johansen)
Date: Thu, 25 Dec 2008 01:23:08 +0100
Subject: [c-nsp] elam packet capture
In-Reply-To: <1d11fbf80812241017n49f77c2o3f48a327349fc3ce@mail.gmail.com>
References: <1d11fbf80812240005t5c3229c6h2535f39a98bb1e51@mail.gmail.com>
	<67F7C1FAF83A074AA3520D8F155782A502590750@xmb-ams-331.emea.cisco.com>
	<1d11fbf80812241017n49f77c2o3f48a327349fc3ce@mail.gmail.com>
Message-ID: <5EB9799F396A304686962AFFF740ED0CB1754A08@NOOSLEXCH001.adno.local>

>>Thanks for the quick reply. I am running 12.2(18)SXF10a , "test mcast ltl index " doesn't seem to work.However in this case I could find the >interface number since I know where the was CSS connected. Can you guide me find the index number someotherway.?

Take care to note that the "test mcast ltl index"-command is performed while attached to the supervisor. (The same place you do the elam packet captures). 

> Router-sp#test mcast ltl index ef
> index 0xEF contain ports 4/48

/Stig

From Moens at carrier2carrier.com  Wed Dec 24 19:34:42 2008
From: Moens at carrier2carrier.com (Martin Moens)
Date: Thu, 25 Dec 2008 01:34:42 +0100
Subject: [c-nsp] Small IAD - Voip to PRI
In-Reply-To: <4952A6C1.2060708@ai.net>
Message-ID: <42F0C766A9A8DB47B5E86CA64738DC8B01905DC8@bilbo.bdhz.c2c.local>

http://www.cisco.com/web/partners/downloads/765/tools/quickreference/voiceden
sity.pdf 

On Wednesday, 24 December, 2008 22:17 L'argent <> wrote:

> I'm looking for a small box, pref Cisco, that will take 23 channels of
> VOIP and hand it off as a PRI suitable for use in a Norstar/Meridian
> phone system. [transparent SIP gateway basically -- pass through
> caller id/name/etc] I believe a ISR 1841 can do it, but I'm not 100%.
> 
> Anyone been here/done that?
> 
> thanks,
> 
> LA
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From gert at greenie.muc.de  Thu Dec 25 05:56:17 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 25 Dec 2008 11:56:17 +0100
Subject: [c-nsp] 6500 and VSS
In-Reply-To: <A859D1BA-7FE6-4168-9EF6-8A55A5C2236E@dupas.be>
References: <a2b352c40812240854n6e511914r35d33edf8df4d4d8@mail.gmail.com>
	<A859D1BA-7FE6-4168-9EF6-8A55A5C2236E@dupas.be>
Message-ID: <20081225105617.GB8535@greenie.muc.de>

Hi,

On Wed, Dec 24, 2008 at 06:17:04PM +0100, Thomas Dupas wrote:
> About production experience: no real show-stoppers so far (besides the
> upgrade/downtime one, which issu should solve), just remember that
> mpls isn't supported (yet?)

Neither is IPv6.  Which is a real show-stopper for some networks.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081225/d195e0bd/attachment.bin>

From tdurack at gmail.com  Thu Dec 25 08:07:45 2008
From: tdurack at gmail.com (Tim Durack)
Date: Thu, 25 Dec 2008 08:07:45 -0500
Subject: [c-nsp] 6500 and VSS
In-Reply-To: <20081225105617.GB8535@greenie.muc.de>
References: <a2b352c40812240854n6e511914r35d33edf8df4d4d8@mail.gmail.com>
	<A859D1BA-7FE6-4168-9EF6-8A55A5C2236E@dupas.be>
	<20081225105617.GB8535@greenie.muc.de>
Message-ID: <9e246b4d0812250507y18289219k3efdeffd572873cb@mail.gmail.com>

On Thu, Dec 25, 2008 at 5:56 AM, Gert Doering <gert at greenie.muc.de> wrote:
> Hi,
>
> On Wed, Dec 24, 2008 at 06:17:04PM +0100, Thomas Dupas wrote:
>> About production experience: no real show-stoppers so far (besides the
>> upgrade/downtime one, which issu should solve), just remember that
>> mpls isn't supported (yet?)
>
> Neither is IPv6.  Which is a real show-stopper for some networks.
>
> gert
> --

"SXH" has proven itself to be an effective show-stopper for our
networks. We're hoping "SXI" is better...

(If Cisco can't get the basics right, why should I trust any of their
fancy stuff?)

Tim:>

From gert at greenie.muc.de  Thu Dec 25 10:24:24 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 25 Dec 2008 16:24:24 +0100
Subject: [c-nsp] 6500 and VSS
In-Reply-To: <9e246b4d0812250507y18289219k3efdeffd572873cb@mail.gmail.com>
References: <a2b352c40812240854n6e511914r35d33edf8df4d4d8@mail.gmail.com>
	<A859D1BA-7FE6-4168-9EF6-8A55A5C2236E@dupas.be>
	<20081225105617.GB8535@greenie.muc.de>
	<9e246b4d0812250507y18289219k3efdeffd572873cb@mail.gmail.com>
Message-ID: <20081225152424.GD8535@greenie.muc.de>

Hi,

On Thu, Dec 25, 2008 at 08:07:45AM -0500, Tim Durack wrote:
> "SXH" has proven itself to be an effective show-stopper for our
> networks. We're hoping "SXI" is better...

We're quite happy with SXH3a and SXI, actually :-)

(Well, BFD on SVI would be nice...)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081225/6ff0e513/attachment-0001.bin>

From tvarriale at comcast.net  Thu Dec 25 10:33:29 2008
From: tvarriale at comcast.net (Tony Varriale)
Date: Thu, 25 Dec 2008 09:33:29 -0600
Subject: [c-nsp] 6500 and VSS
References: <a2b352c40812240854n6e511914r35d33edf8df4d4d8@mail.gmail.com><A859D1BA-7FE6-4168-9EF6-8A55A5C2236E@dupas.be><20081225105617.GB8535@greenie.muc.de>
	<9e246b4d0812250507y18289219k3efdeffd572873cb@mail.gmail.com>
Message-ID: <CE051917AA984344810F4D847868054A@flamdt1>

Would you mind sharing which "features" you are bouncing off of?

We have a couple of implementations and they are going well.

No SXI yet w/ other blades....SXH with basic stuff appears to work ok 
especially for a rev 1 feature.

tv
----- Original Message ----- 
From: "Tim Durack" <tdurack at gmail.com>
To: "Gert Doering" <gert at greenie.muc.de>
Cc: "cisco-nsp" <cisco-nsp at puck.nether.net>
Sent: Thursday, December 25, 2008 7:07 AM
Subject: Re: [c-nsp] 6500 and VSS


> On Thu, Dec 25, 2008 at 5:56 AM, Gert Doering <gert at greenie.muc.de> wrote:
>> Hi,
>>
>> On Wed, Dec 24, 2008 at 06:17:04PM +0100, Thomas Dupas wrote:
>>> About production experience: no real show-stoppers so far (besides the
>>> upgrade/downtime one, which issu should solve), just remember that
>>> mpls isn't supported (yet?)
>>
>> Neither is IPv6.  Which is a real show-stopper for some networks.
>>
>> gert
>> --
>
> "SXH" has proven itself to be an effective show-stopper for our
> networks. We're hoping "SXI" is better...
>
> (If Cisco can't get the basics right, why should I trust any of their
> fancy stuff?)
>
> Tim:>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From tdurack at gmail.com  Thu Dec 25 11:57:28 2008
From: tdurack at gmail.com (Tim Durack)
Date: Thu, 25 Dec 2008 11:57:28 -0500
Subject: [c-nsp] 6500 and VSS
In-Reply-To: <CE051917AA984344810F4D847868054A@flamdt1>
References: <a2b352c40812240854n6e511914r35d33edf8df4d4d8@mail.gmail.com>
	<A859D1BA-7FE6-4168-9EF6-8A55A5C2236E@dupas.be>
	<20081225105617.GB8535@greenie.muc.de>
	<9e246b4d0812250507y18289219k3efdeffd572873cb@mail.gmail.com>
	<CE051917AA984344810F4D847868054A@flamdt1>
Message-ID: <9e246b4d0812250857i54a4cfa1ya5fce4c00b090425@mail.gmail.com>

On Thu, Dec 25, 2008 at 10:33 AM, Tony Varriale <tvarriale at comcast.net> wrote:
> Would you mind sharing which "features" you are bouncing off of?
>
> We have a couple of implementations and they are going well.
>
> No SXI yet w/ other blades....SXH with basic stuff appears to work ok
> especially for a rev 1 feature.

SXH2 has some critical NetFlow bugs. Cisco said disable "ip flow
ingress" on all interfaces as a work-around. Unfortunately we have
experienced other crashes too, without identifying root-cause.

At this point we have completed the migration to SXI, so I'm trying to
forget all about SXH.

(I should probably mention this is modular IOS.)

Tim:>

From ATolstykh at integrysgroup.com  Thu Dec 25 16:33:01 2008
From: ATolstykh at integrysgroup.com (Tolstykh, Andrew)
Date: Thu, 25 Dec 2008 15:33:01 -0600
Subject: [c-nsp] 6500 and VSS
In-Reply-To: <9e246b4d0812250857i54a4cfa1ya5fce4c00b090425@mail.gmail.com>
References: <a2b352c40812240854n6e511914r35d33edf8df4d4d8@mail.gmail.com><A859D1BA-7FE6-4168-9EF6-8A55A5C2236E@dupas.be><20081225105617.GB8535@greenie.muc.de><9e246b4d0812250507y18289219k3efdeffd572873cb@mail.gmail.com><CE051917AA984344810F4D847868054A@flamdt1>
	<9e246b4d0812250857i54a4cfa1ya5fce4c00b090425@mail.gmail.com>
Message-ID: <6E31172B4025564D861CD73627500BAC02E2FB38@pru-mail02.pe.net>

SXH3a/4 spurious interrupts raised on the following events:

Archive feature triggered on the write mem
L3 port-channel bundle member interface addition with the IP address
still configured on the member interface (symptoms include: freeze up
for 30 seconds, spurious interrupts with the path to pagp module). 

SXI is free of these defects and overall appears to be running great.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tim Durack
Sent: Thursday, December 25, 2008 10:57 AM
To: Tony Varriale
Cc: cisco-nsp
Subject: Re: [c-nsp] 6500 and VSS

On Thu, Dec 25, 2008 at 10:33 AM, Tony Varriale <tvarriale at comcast.net>
wrote:
> Would you mind sharing which "features" you are bouncing off of?
>
> We have a couple of implementations and they are going well.
>
> No SXI yet w/ other blades....SXH with basic stuff appears to work ok
> especially for a rev 1 feature.

SXH2 has some critical NetFlow bugs. Cisco said disable "ip flow
ingress" on all interfaces as a work-around. Unfortunately we have
experienced other crashes too, without identifying root-cause.

At this point we have completed the migration to SXI, so I'm trying to
forget all about SXH.

(I should probably mention this is modular IOS.)

Tim:>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From tvarriale at comcast.net  Thu Dec 25 23:26:41 2008
From: tvarriale at comcast.net (Tony Varriale)
Date: Thu, 25 Dec 2008 22:26:41 -0600
Subject: [c-nsp] 6500 and VSS
References: <a2b352c40812240854n6e511914r35d33edf8df4d4d8@mail.gmail.com><A859D1BA-7FE6-4168-9EF6-8A55A5C2236E@dupas.be><20081225105617.GB8535@greenie.muc.de><9e246b4d0812250507y18289219k3efdeffd572873cb@mail.gmail.com><CE051917AA984344810F4D847868054A@flamdt1>
	<9e246b4d0812250857i54a4cfa1ya5fce4c00b090425@mail.gmail.com>
	<6E31172B4025564D861CD73627500BAC02E2FB38@pru-mail02.pe.net>
Message-ID: <7C8AE13CAD9741738D4CDE444B92DFC5@flamdt1>

Any service mods?  Or just straight GE and/or TE?

tv
----- Original Message ----- 
From: "Tolstykh, Andrew" <ATolstykh at integrysgroup.com>
To: "Tim Durack" <tdurack at gmail.com>; "Tony Varriale" 
<tvarriale at comcast.net>
Cc: "cisco-nsp" <cisco-nsp at puck.nether.net>
Sent: Thursday, December 25, 2008 3:33 PM
Subject: RE: [c-nsp] 6500 and VSS


SXH3a/4 spurious interrupts raised on the following events:

Archive feature triggered on the write mem
L3 port-channel bundle member interface addition with the IP address
still configured on the member interface (symptoms include: freeze up
for 30 seconds, spurious interrupts with the path to pagp module).

SXI is free of these defects and overall appears to be running great.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tim Durack
Sent: Thursday, December 25, 2008 10:57 AM
To: Tony Varriale
Cc: cisco-nsp
Subject: Re: [c-nsp] 6500 and VSS

On Thu, Dec 25, 2008 at 10:33 AM, Tony Varriale <tvarriale at comcast.net>
wrote:
> Would you mind sharing which "features" you are bouncing off of?
>
> We have a couple of implementations and they are going well.
>
> No SXI yet w/ other blades....SXH with basic stuff appears to work ok
> especially for a rev 1 feature.

SXH2 has some critical NetFlow bugs. Cisco said disable "ip flow
ingress" on all interfaces as a work-around. Unfortunately we have
experienced other crashes too, without identifying root-cause.

At this point we have completed the migration to SXI, so I'm trying to
forget all about SXH.

(I should probably mention this is modular IOS.)

Tim:>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From tdurack at gmail.com  Fri Dec 26 10:49:01 2008
From: tdurack at gmail.com (Tim Durack)
Date: Fri, 26 Dec 2008 10:49:01 -0500
Subject: [c-nsp] MPLS-VPN migration
In-Reply-To: <00d101c961a8$a6858ce0$f390a6a0$@id.au>
References: <9e246b4d0812170754y464d5aabmcda35c45948b3c65@mail.gmail.com>
	<01d401c960e8$6bc17710$43446530$@id.au>
	<00d101c961a8$a6858ce0$f390a6a0$@id.au>
Message-ID: <9e246b4d0812260749t67e87492n7817d531efb0290@mail.gmail.com>

On Fri, Dec 19, 2008 at 2:08 AM, Aaron Daniels - Lists
<lists at daniels.id.au> wrote:
> I have had a few requests for this so I thought i'd put it on-list.
>
> Thanks,
> Aaron Daniels
>

Exercise caution if you're trying this on a 6500. I just crashed
12.2(33)SXI in the lab with something like:

router bgp 65001
 template peer-policy self-peer
  prefix-list self-peer in
  prefix-list self-peer out
  soft-reconfiguration inbound
  send-community both
 exit-peer-policy
 !
 template peer-session self-peer
  ebgp-multihop 255
 exit-peer-session
 !
 neighbor 10.1.0.255 remote-as 65255
 neighbor 10.1.0.255 inherit peer-session self-peer
 !
 address-family ipv4 vrf ENG
 bgp router-id 10.1.0.255

I saw the same thing in SXH, but Cisco said it was fixed in SXI. Let's
see what they say this time.

Tim:>

From MatlockK at exempla.org  Fri Dec 26 13:08:20 2008
From: MatlockK at exempla.org (Matlock, Kenneth L)
Date: Fri, 26 Dec 2008 11:08:20 -0700
Subject: [c-nsp] Active Supervisor on 6500 - SNMP?
Message-ID: <4288131ED5E3024C9CD4782CECCAD2C7037AFB2B@LMC-MAIL2.exempla.org>

I've been looking around all morning, and I can't seem to find an answer
to this.

 

Is there an SNMP MIB to tell me which supervisor in a cat6500-series
chassis is currently the active, and what state (hot/cold/etc) the
standby supervisor is in?

 

I've done searches, and looked through the MIBs (what fun, let me tell
ya!) but no luck so far.

 

Thanks for the help!

 

Ken Matlock
Network Analyst

Exempla Healthcare
(303) 467-4671
matlockk at exempla.org

 


From tdurack at gmail.com  Fri Dec 26 14:38:45 2008
From: tdurack at gmail.com (Tim Durack)
Date: Fri, 26 Dec 2008 14:38:45 -0500
Subject: [c-nsp] MPLS-VPN migration
In-Reply-To: <9e246b4d0812260749t67e87492n7817d531efb0290@mail.gmail.com>
References: <9e246b4d0812170754y464d5aabmcda35c45948b3c65@mail.gmail.com>
	<01d401c960e8$6bc17710$43446530$@id.au>
	<00d101c961a8$a6858ce0$f390a6a0$@id.au>
	<9e246b4d0812260749t67e87492n7817d531efb0290@mail.gmail.com>
Message-ID: <9e246b4d0812261138j4153aecbne5586a2130ea3d38@mail.gmail.com>

> Exercise caution if you're trying this on a 6500. I just crashed
> 12.2(33)SXI in the lab with something like:
>
> router bgp 65001
>  template peer-policy self-peer
>  prefix-list self-peer in
>  prefix-list self-peer out
>  soft-reconfiguration inbound
>  send-community both
>  exit-peer-policy
>  !
>  template peer-session self-peer
>  ebgp-multihop 255
>  exit-peer-session
>  !
>  neighbor 10.1.0.255 remote-as 65255
>  neighbor 10.1.0.255 inherit peer-session self-peer
>  !
>  address-family ipv4 vrf ENG
>  bgp router-id 10.1.0.255
>
> I saw the same thing in SXH, but Cisco said it was fixed in SXI. Let's
> see what they say this time.
>
> Tim:>
>

Apparently setting "bgp router-id" in "address-family ipv4 vrf"
context is the trigger.

Does anyone do anything like this in production? Can't believe I'm the
first to try it.

Tim:>

From schilling2006 at gmail.com  Fri Dec 26 15:17:49 2008
From: schilling2006 at gmail.com (schilling)
Date: Fri, 26 Dec 2008 15:17:49 -0500
Subject: [c-nsp] MPLS-VPN migration
In-Reply-To: <01d401c960e8$6bc17710$43446530$@id.au>
References: <9e246b4d0812170754y464d5aabmcda35c45948b3c65@mail.gmail.com>
	<01d401c960e8$6bc17710$43446530$@id.au>
Message-ID: <bd3771a60812261217m3a0a9972of7fe490e57ab9844@mail.gmail.com>

A simple question regarding Per-VRF Assignment of BGP Router ID which makes
the VRF-to-VRF peering of BGP on the same router possible. I just could not
get my head straight.

Do we need a physical cable from interface/VLAN in one VRF to another VRF on
the same router? Otherwise, how the data flow from one VRF to another?

Thanks.

Schilling



On Thu, Dec 18, 2008 at 3:12 AM, Aaron Daniels - Lists
<lists at daniels.id.au>wrote:

> We just tackled this one in our organisation.
>
> 2 Gotchas.
>
> 1. Router-id must be different between peers, make sure your code supports
> vrf specific router-id.
> 2. iBGP was very messy IMHO, so we went with eBGP using local-as to have
> each vrf appear to be a different 65xxx AS
>
> I can sent you my lab config's tomorrow.
>
> Thanks,
> Aaron
>
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > bounces at puck.nether.net] On Behalf Of Tim Durack
> > Sent: Thursday, 18 December 2008 1:54 AM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] MPLS-VPN migration
> >
> > Looking for some "creative" ideas on how best to accomplish this:
> >
> > We are migrating a traditional enterprise-style IP network to an
> > MPLS-VPN network. All the infrastructure MPLS/IGP/MP-BGP work is
> > essentially done (it's a purely PE-PE network, no P routers anywhere.)
> >
> > All "customer" networks are still in the global table. I need to
> > migrate them into VPN groups, but maintain full reachability between
> > global and VRFs during the migration. Route-leaking will be configured
> > between VRFs, and at a later stage some kind of firewall will be
> > employed between VPNs. The hard part is getting everything into the
> > VPNs first (without anyone noticing too much :-)
> >
> > Ideally I'd like to bring up BGP sessions between the global table and
> > VRFs on each PE. I notice I can do BGP sessions between VRFs, but
> > can't quite wrap my head around global->VRF BGP. Is this even
> > possible?
> >
> > Thanks for thinking about it.
> >
> > Tim:>
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From nicotine at warningg.com  Fri Dec 26 15:19:15 2008
From: nicotine at warningg.com (Brandon Ewing)
Date: Fri, 26 Dec 2008 14:19:15 -0600
Subject: [c-nsp] Active Supervisor on 6500 - SNMP?
In-Reply-To: <4288131ED5E3024C9CD4782CECCAD2C7037AFB2B@LMC-MAIL2.exempla.org>
References: <4288131ED5E3024C9CD4782CECCAD2C7037AFB2B@LMC-MAIL2.exempla.org>
Message-ID: <20081226201915.GH18899@biological.warningg.com>

On Fri, Dec 26, 2008 at 11:08:20AM -0700, Matlock, Kenneth L wrote:
> 
> Is there an SNMP MIB to tell me which supervisor in a cat6500-series
> chassis is currently the active, and what state (hot/cold/etc) the
> standby supervisor is in?
> 
>  

CISCO-RF-MIB
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/SSO_MIBS.html#wp1035478

snmpwalk -v 2c -c public 6500_vss_test  1.3.6.1.4.1.9.9.176
CISCO-RF-MIB::cRFStatusUnitId.0 = INTEGER: 21
CISCO-RF-MIB::cRFStatusUnitState.0 = INTEGER: active(14)
CISCO-RF-MIB::cRFStatusPeerUnitId.0 = INTEGER: 37
CISCO-RF-MIB::cRFStatusPeerUnitState.0 = INTEGER: standbyHot(9)
CISCO-RF-MIB::cRFStatusPrimaryMode.0 = INTEGER: true(1)
CISCO-RF-MIB::cRFStatusDuplexMode.0 = INTEGER: true(1)
CISCO-RF-MIB::cRFStatusManualSwactInhibit.0 = INTEGER: false(2)
CISCO-RF-MIB::cRFStatusLastSwactReasonCode.0 = INTEGER: userInitiated(4)
....
CISCO-RF-MIB::cRFCfgRedundancyMode.0 = INTEGER: hotStandbyRedundant(8)
CISCO-RF-MIB::cRFCfgRedundancyModeDescr.0 = STRING: SSO (Stateful Switchover)

-- 
Brandon Ewing                                        (nicotine at warningg.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081226/6709cc06/attachment.bin>

From MatlockK at exempla.org  Fri Dec 26 15:32:43 2008
From: MatlockK at exempla.org (Matlock, Kenneth L)
Date: Fri, 26 Dec 2008 13:32:43 -0700
Subject: [c-nsp] Active Supervisor on 6500 - SNMP?
In-Reply-To: <20081226201915.GH18899@biological.warningg.com>
References: <4288131ED5E3024C9CD4782CECCAD2C7037AFB2B@LMC-MAIL2.exempla.org>
	<20081226201915.GH18899@biological.warningg.com>
Message-ID: <4288131ED5E3024C9CD4782CECCAD2C7037AFB2C@LMC-MAIL2.exempla.org>

Ahh, there we go!

Kept looking for 'redundancy' 'failover' 'active' 'hot' 'cold', but
never thought about 'RF' as an abbreviation! 

Thanks for the help!

Ken Matlock
Network Analyst
Exempla Healthcare
(303) 467-4671
matlockk at exempla.org
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brandon Ewing
Sent: Friday, December 26, 2008 1:19 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Active Supervisor on 6500 - SNMP?

On Fri, Dec 26, 2008 at 11:08:20AM -0700, Matlock, Kenneth L wrote:
> 
> Is there an SNMP MIB to tell me which supervisor in a cat6500-series
> chassis is currently the active, and what state (hot/cold/etc) the
> standby supervisor is in?
> 
>  

CISCO-RF-MIB
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/SSO_MIBS.html#wp
1035478

snmpwalk -v 2c -c public 6500_vss_test  1.3.6.1.4.1.9.9.176
CISCO-RF-MIB::cRFStatusUnitId.0 = INTEGER: 21
CISCO-RF-MIB::cRFStatusUnitState.0 = INTEGER: active(14)
CISCO-RF-MIB::cRFStatusPeerUnitId.0 = INTEGER: 37
CISCO-RF-MIB::cRFStatusPeerUnitState.0 = INTEGER: standbyHot(9)
CISCO-RF-MIB::cRFStatusPrimaryMode.0 = INTEGER: true(1)
CISCO-RF-MIB::cRFStatusDuplexMode.0 = INTEGER: true(1)
CISCO-RF-MIB::cRFStatusManualSwactInhibit.0 = INTEGER: false(2)
CISCO-RF-MIB::cRFStatusLastSwactReasonCode.0 = INTEGER: userInitiated(4)
....
CISCO-RF-MIB::cRFCfgRedundancyMode.0 = INTEGER: hotStandbyRedundant(8)
CISCO-RF-MIB::cRFCfgRedundancyModeDescr.0 = STRING: SSO (Stateful
Switchover)

-- 
Brandon Ewing
(nicotine at warningg.com)

From jason at lixfeld.ca  Sat Dec 27 12:58:22 2008
From: jason at lixfeld.ca (Jason Lixfeld)
Date: Sat, 27 Dec 2008 12:58:22 -0500
Subject: [c-nsp] configuring spanning-tree to block on the backplane
Message-ID: <DD80291E-1195-48D5-A5AB-E742069946BD@lixfeld.ca>

Here's the scenario:

server 1 has a trunk to switch 1.  One active vlan on the trunk, 15.
server 2 has a trunk to switch 1.  One active vlan on the trunk, 15.
switch 2 has 2 trunks to switch 1.  One active vlan on the trunks, 15.

Spanning-tree is setup as PVST on switch 1 and switch 2.  Spanning- 
tree for vlan 15 blocks one of the ports on switch 2, which is  
expected.  What I need to do is change the path from server 1 to  
server 2 so it goes via switch 2, not directly through switch 1, but  
I'm not sure if it's possible to block a path between two ports on the  
same switch in order to do what I want.  I've tried variations of  
disabling spanning-tree on vlan 15 on switch 1 and/or fudging the vlan  
port costs on switch 1 and/or switch 2, but any way I cut the cake,  
there is always a physical port being blocked between switch 1 and  
switch 2.  I can always just wire the servers directly to switch 2,  
but if I can find a way to do it remotely by fudging the tree, it'd  
save me a trip.		

Incase it matters, switch 1 is a 3550 running 12.2(25)SEE1.  Switch 2  
is a 6509/SUP720 running 12.2(33)SXH3a.  The 6509 connects to the 3550  
via two ports on a WS-X6148A-GE-TX.

Thanks in advance.

From peter at rathlev.dk  Sat Dec 27 17:09:23 2008
From: peter at rathlev.dk (Peter Rathlev)
Date: Sat, 27 Dec 2008 23:09:23 +0100
Subject: [c-nsp] configuring spanning-tree to block on the backplane
In-Reply-To: <DD80291E-1195-48D5-A5AB-E742069946BD@lixfeld.ca>
References: <DD80291E-1195-48D5-A5AB-E742069946BD@lixfeld.ca>
Message-ID: <1230415763.7596.15.camel@localhost.localdomain>

On Sat, 2008-12-27 at 12:58 -0500, Jason Lixfeld wrote:
> Here's the scenario:
> 
> server 1 has a trunk to switch 1.  One active vlan on the trunk, 15.
> server 2 has a trunk to switch 1.  One active vlan on the trunk, 15.
> switch 2 has 2 trunks to switch 1.  One active vlan on the trunks, 15.

So it's something like this:

+--------+______+--------+
|  SW 1  |______|  SW 2  |
+--------+      +--------+
 |      |
SRV1   SRV2

> Spanning-tree is setup as PVST on switch 1 and switch 2.  Spanning- 
> tree for vlan 15 blocks one of the ports on switch 2, which is  
> expected.  What I need to do is change the path from server 1 to  
> server 2 so it goes via switch 2, not directly through switch 1, but  
> I'm not sure if it's possible to block a path between two ports on the  
> same switch in order to do what I want.  I've tried variations of  
> disabling spanning-tree on vlan 15 on switch 1 and/or fudging the vlan  
> port costs on switch 1 and/or switch 2, but any way I cut the cake,  
> there is always a physical port being blocked between switch 1 and  
> switch 2.  I can always just wire the servers directly to switch 2,  
> but if I can find a way to do it remotely by fudging the tree, it'd  
> save me a trip.		

The spanning tree protocol treats a switch as a node in the graph, so
there would be no link to block "inside" the node. Thus I don't think
STP can solve your problem.

If the two physical connections between switch 1 and switch 2 aren't
used for anything else, you could use two different VLANs on switch 1,
each server/uplink pair in its own VLAN, and then make the two uplink
ports connect to the same access VLAN on switch 2. It would require that
the uplinks are simple access ports (on both sides) so it may not suit
your needs.

Otherwise you might be able to do something with private VLANs. As far
as I can see, you'd have to configure the two server access ports as
isolated PVLAN ports and then have the uplinks be promicuous ports.
Switch 2 would be left alone. I'm not sure what STP would make of this
though and it might not work at all.

> Incase it matters, switch 1 is a 3550 running 12.2(25)SEE1.  Switch 2  
> is a 6509/SUP720 running 12.2(33)SXH3a.  The 6509 connects to the 3550  
> via two ports on a WS-X6148A-GE-TX.

Forcing the traffic to go via a 6148 card would give them less bandwidth
than if they were just switched on the 3550, at least if the two ports
share an ASIC.

Regards,
Peter



From eng_mssk at hotmail.com  Sun Dec 28 03:59:37 2008
From: eng_mssk at hotmail.com (Mohammad Khalil)
Date: Sun, 28 Dec 2008 10:59:37 +0200
Subject: [c-nsp] LAC and LNS
Message-ID: <BLU102-W588DAEC70FEE1A6DBD63EFFAE90@phx.gbl>


Hey all 
do anyone knows how to configure a single router to act as LAC and LNS at the same instance ??
and how to configure L2TP ??
Thanks in advance 

_________________________________________________________________
Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy!
http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us

From oboehmer at cisco.com  Sun Dec 28 04:28:59 2008
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Sun, 28 Dec 2008 10:28:59 +0100
Subject: [c-nsp] LAC and LNS
In-Reply-To: <BLU102-W588DAEC70FEE1A6DBD63EFFAE90@phx.gbl>
References: <BLU102-W588DAEC70FEE1A6DBD63EFFAE90@phx.gbl>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED784069F121B@xmb-ams-333.emea.cisco.com>

Mohammad Khalil <> wrote on Sunday, December 28, 2008 10:00:

> Hey all
> do anyone knows how to configure a single router to act as LAC and
> LNS at the same instance ?? and how to configure L2TP ??

What are you trying to achieve? L2TP forwards a PPP session from LAC to
LNS, so why not just terminate the client PPP session directly?

	oli

From eng_mssk at hotmail.com  Sun Dec 28 04:48:42 2008
From: eng_mssk at hotmail.com (Mohammad Khalil)
Date: Sun, 28 Dec 2008 11:48:42 +0200
Subject: [c-nsp] FW:  LAC and LNS
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED784069F121B@xmb-ams-333.emea.cisco.com>
References: <BLU102-W588DAEC70FEE1A6DBD63EFFAE90@phx.gbl>
	<70B7A1CCBFA5C649BD562B6D9F7ED784069F121B@xmb-ams-333.emea.cisco.com> 
Message-ID: <BLU102-W365F4E19F071C0FA8CD2ACFAE90@phx.gbl>




From: eng_mssk at hotmail.com
To: oboehmer at cisco.com
Subject: RE: [c-nsp] LAC and LNS
Date: Sun, 28 Dec 2008 11:32:11 +0200








Man the idea is that im connecting 2 routers via FE connection 

so i want the 871 router to make dialing and obtain an IP address according to the username 

we tried that using PPPoE and it worked well

so im now trying to make L2TP tunnel between the 871 and 2811 routers 

how can i make that  ?



> Subject: RE: [c-nsp] LAC and LNS
> Date: Sun, 28 Dec 2008 10:28:59 +0100
> From: oboehmer at cisco.com
> To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net
> 
> Mohammad Khalil <> wrote on Sunday, December 28, 2008 10:00:
> 
> > Hey all
> > do anyone knows how to configure a single router to act as LAC and
> > LNS at the same instance ?? and how to configure L2TP ??
> 
> What are you trying to achieve? L2TP forwards a PPP session from LAC to
> LNS, so why not just terminate the client PPP session directly?
> 
> oli


Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! Try it!
_________________________________________________________________
Drag n? drop?Get easy photo sharing with Windows Live? Photos.

http://www.microsoft.com/windows/windowslive/photos.aspx

From wellknown at gmx.net  Sun Dec 28 05:32:19 2008
From: wellknown at gmx.net (wellknown at gmx.net)
Date: Sun, 28 Dec 2008 11:32:19 +0100
Subject: [c-nsp] q-in-q vlan stacking
Message-ID: <20081228103219.298540@gmx.net>

Hi,

I think I do not really understand the concept of vlan stacking.

I would like to break the limit of 4096 vlans per router with this technique. Please assume the network structure as the following:

One core router (capable of vlan-stacking) as uplink to several cisco 6509 switches (sup2). Lets assume the ciscos work only on layer2, to each port an untagged vlan is assigned. Would it be possible to provide for example 50000 seperate vlans for 100 fully loaded 6509 from only one core-router with q-in-q?

Need the 6509 switches to be cappable of q-in-q?

I imagine to put for example one vlan from id 1 - 450 to each port if the ciscos, configuring the uplink to the core router with trunking and the core router is handling this packets "like untagged" and adding the second vlan tag to it.


Is there any other solution (except of multiple ports (of different) switches in the same vlan and preventing communication by firewall) to use more than 4096 vlans with one router?



Best regards!

-Tom
-- 
Sensationsangebot verl?ngert: GMX FreeDSL - Telefonanschluss + DSL 
f?r nur 16,37 Euro/mtl.!* http://dsl.gmx.de/?ac=OM.AD.PD003K1308T4569a

From abalashov at evaristesys.com  Sun Dec 28 05:11:33 2008
From: abalashov at evaristesys.com (Alex Balashov)
Date: Sun, 28 Dec 2008 05:11:33 -0500
Subject: [c-nsp] FW:  LAC and LNS
In-Reply-To: <BLU102-W365F4E19F071C0FA8CD2ACFAE90@phx.gbl>
References: <BLU102-W588DAEC70FEE1A6DBD63EFFAE90@phx.gbl>	<70B7A1CCBFA5C649BD562B6D9F7ED784069F121B@xmb-ams-333.emea.cisco.com>
	<BLU102-W365F4E19F071C0FA8CD2ACFAE90@phx.gbl>
Message-ID: <495750D5.8060902@evaristesys.com>

Mohammad Khalil wrote:

> we tried that using PPPoE and it worked well
> 
> so im now trying to make L2TP tunnel between the 871 and 2811 routers 

Why?

-- 
Alex Balashov
Evariste Systems
Web    : http://www.evaristesys.com/
Tel    : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (678) 237-1775

From eliran.hasidg123 at gmail.com  Sun Dec 28 07:50:47 2008
From: eliran.hasidg123 at gmail.com (eliran h)
Date: Sun, 28 Dec 2008 14:50:47 +0200
Subject: [c-nsp] pps limit
Message-ID: <35716de00812280450n52a4ab2by5169b6e2a92f4b52@mail.gmail.com>

Hello

I've a 7600 with WS-X6348-RJ-45 card,
one of the ports pushing 80Mbps and 120000 pps in and out.
This is a voice application, the problem is that i can't exceed 80Mpbs

I don't have any config limitation, is it a card limitation?

thanks
Eliran

From adi.siswanto at indosatm2.com  Sun Dec 28 08:35:01 2008
From: adi.siswanto at indosatm2.com (Adi Siswanto)
Date: Sun, 28 Dec 2008 20:35:01 +0700 (WIT)
Subject: [c-nsp] pps limit
Message-ID: <23882393.1230471301201.JavaMail.root@eiger>

yup, I think so, my experience before around 83 mbps

rgds


IM2Prime UNLIMITED, Internet Broadband Paskabayar. Informasi lengkap klik: http://www.indosatm2.com/prime

Disclaimer

This is an e-mail from PT Indosat Mega Media intended solely for the   named addressee(s). It is confidential and may contain legally privileged information. Therefore, any unauthorized use, disclosure or copying of this information is strictly prohibited.
PT Indosat Mega Media does not accept liability for any email loss or files damage.

From avayner at cisco.com  Sun Dec 28 09:59:44 2008
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Sun, 28 Dec 2008 15:59:44 +0100
Subject: [c-nsp] pps limit
In-Reply-To: <35716de00812280450n52a4ab2by5169b6e2a92f4b52@mail.gmail.com>
References: <35716de00812280450n52a4ab2by5169b6e2a92f4b52@mail.gmail.com>
Message-ID: <67F7C1FAF83A074AA3520D8F155782A50261790E@xmb-ams-331.emea.cisco.com>

Eliran,

I assume you are talking about a 100Mbps port, right?
Can you please share the show interface output? I would assume your
issue would be L2 overhead...

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of eliran h
Sent: Sunday, December 28, 2008 14:51
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] pps limit

Hello

I've a 7600 with WS-X6348-RJ-45 card,
one of the ports pushing 80Mbps and 120000 pps in and out.
This is a voice application, the problem is that i can't exceed 80Mpbs

I don't have any config limitation, is it a card limitation?

thanks
Eliran
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From tom at snnap.net  Sun Dec 28 18:04:43 2008
From: tom at snnap.net (Tom Storey)
Date: Mon, 29 Dec 2008 09:34:43 +1030 (CST)
Subject: [c-nsp] 1841 and HWIC-8A
Message-ID: <50325.172.25.144.4.1230505483.squirrel@imap.snnap.net>

Can anyone confirm if the 1841 supports 2 * HWIC-8A, to provide a total of
16 terminal lines?

Have looked high and low, and through all of Ciscos documentation, but the
only reference I can find is that the HWIC-8A is for "low to medium
density applications" and if you want higher density go with the NM-16A...
But nothing about what the maximum supported instance of the HWIC-8A is in
an 1841 chassis.

Cheers,
Tom


From tom at snnap.net  Sun Dec 28 18:40:42 2008
From: tom at snnap.net (Tom Storey)
Date: Mon, 29 Dec 2008 10:10:42 +1030 (CST)
Subject: [c-nsp] 1841 and HWIC-8A
Message-ID: <62327.172.25.144.4.1230507642.squirrel@imap.snnap.net>

> Can anyone confirm if the 1841 supports 2 * HWIC-8A, to provide a total of
> 16 terminal lines?
>
> Have looked high and low, and through all of Ciscos documentation, but the
> only reference I can find is that the HWIC-8A is for "low to medium
> density applications" and if you want higher density go with the NM-16A...
> But nothing about what the maximum supported instance of the HWIC-8A is in
> an 1841 chassis.
>
> Cheers,
> Tom


Seems that 2 HWIC-8A's will be fine. If anyone has any conflicting info,
sucess/failure stories I'd still like to hear from you. To be sure, to be
sure. :-)

Cheers,
Tom


From brett at looney.id.au  Sun Dec 28 18:34:41 2008
From: brett at looney.id.au (Brett Looney)
Date: Mon, 29 Dec 2008 08:34:41 +0900
Subject: [c-nsp] 1841 and HWIC-8A
In-Reply-To: <50325.172.25.144.4.1230505483.squirrel@imap.snnap.net>
References: <50325.172.25.144.4.1230505483.squirrel@imap.snnap.net>
Message-ID: <000501c96944$dda2dae0$98e890a0$@id.au>

> Can anyone confirm if the 1841 supports 2 * HWIC-8A, to provide a
> total of 16 terminal lines?

The Configuration Tool is your friend:
https://tools.cisco.com/qtc/config/jsp/configureHome.jsp

According to the tool, an 1841 with 2 x HWIC-8A is a valid configuration.

B.


From oboehmer at cisco.com  Mon Dec 29 05:01:38 2008
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Mon, 29 Dec 2008 11:01:38 +0100
Subject: [c-nsp] FW:  LAC and LNS
In-Reply-To: <BLU102-W365F4E19F071C0FA8CD2ACFAE90@phx.gbl>
References: <BLU102-W588DAEC70FEE1A6DBD63EFFAE90@phx.gbl><70B7A1CCBFA5C649BD562B6D9F7ED784069F121B@xmb-ams-333.emea.cisco.com>
	<BLU102-W365F4E19F071C0FA8CD2ACFAE90@phx.gbl>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED784069F12A1@xmb-ams-333.emea.cisco.com>

Mohammad Khalil <> wrote on Sunday, December 28, 2008 10:49:

> 
> Man the idea is that im connecting 2 routers via FE connection
> 
> so i want the 871 router to make dialing and obtain an IP address
> according to the username 
> 
> we tried that using PPPoE and it worked well
> 
> so im now trying to make L2TP tunnel between the 871 and 2811 routers
> how can i make that  ?

Ah, now I see, I guess I misunderstood your scenario. You could use
client-initiated L2TP
(http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtvoltun
.html) to build the L2TP tunnel.. 

	oli


>> Subject: RE: [c-nsp] LAC and LNS
>> Date: Sun, 28 Dec 2008 10:28:59 +0100
>> From: oboehmer at cisco.com
>> To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net
>> 
>> Mohammad Khalil <> wrote on Sunday, December 28, 2008 10:00:
>> 
>>> Hey all
>>> do anyone knows how to configure a single router to act as LAC and
>>> LNS at the same instance ?? and how to configure L2TP ??
>> 
>> What are you trying to achieve? L2TP forwards a PPP session from LAC
>> to LNS, so why not just terminate the client PPP session directly?
>> 
>> oli
> 
> 
> Invite your mail contacts to join your friends list with Windows Live
> Spaces. It's easy! Try it!
> _________________________________________________________________ 
> Drag n' drop-Get easy photo sharing with Windows Live(tm) Photos.
> 
> http://www.microsoft.com/windows/windowslive/photos.aspx
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From William.Murphy at uth.tmc.edu  Mon Dec 29 13:40:29 2008
From: William.Murphy at uth.tmc.edu (Murphy, William )
Date: Mon, 29 Dec 2008 12:40:29 -0600
Subject: [c-nsp] 6500 and VSS
In-Reply-To: <7C8AE13CAD9741738D4CDE444B92DFC5@flamdt1>
References: <a2b352c40812240854n6e511914r35d33edf8df4d4d8@mail.gmail.com>
	<A859D1BA-7FE6-4168-9EF6-8A55A5C2236E@dupas.be>
	<20081225105617.GB8535@greenie.muc.de>
	<9e246b4d0812250507y18289219k3efdeffd572873cb@mail.gmail.com>
	<CE051917AA984344810F4D847868054A@flamdt1>
	<9e246b4d0812250857i54a4cfa1ya5fce4c00b090425@mail.gmail.com>
	<6E31172B4025564D861CD73627500BAC02E2FB38@pru-mail02.pe.net>
	<7C8AE13CAD9741738D4CDE444B92DFC5@flamdt1>
Message-ID: <164030B85F3A8B40B960817918CB021001BC712A@UTHEVS4.mail.uthouston.edu>

I was told by Cisco that SXI support both v6 and MPLS with VSS...  Can
anyone else confirm this, and if so is anyone using VSS with these features
in a production network?  Thanks...

Bill

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Varriale
Sent: Thursday, December 25, 2008 10:27 PM
To: Tolstykh, Andrew; Tim Durack
Cc: cisco-nsp
Subject: Re: [c-nsp] 6500 and VSS

Any service mods?  Or just straight GE and/or TE?

tv
----- Original Message ----- 
From: "Tolstykh, Andrew" <ATolstykh at integrysgroup.com>
To: "Tim Durack" <tdurack at gmail.com>; "Tony Varriale" 
<tvarriale at comcast.net>
Cc: "cisco-nsp" <cisco-nsp at puck.nether.net>
Sent: Thursday, December 25, 2008 3:33 PM
Subject: RE: [c-nsp] 6500 and VSS


SXH3a/4 spurious interrupts raised on the following events:

Archive feature triggered on the write mem
L3 port-channel bundle member interface addition with the IP address
still configured on the member interface (symptoms include: freeze up
for 30 seconds, spurious interrupts with the path to pagp module).

SXI is free of these defects and overall appears to be running great.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tim Durack
Sent: Thursday, December 25, 2008 10:57 AM
To: Tony Varriale
Cc: cisco-nsp
Subject: Re: [c-nsp] 6500 and VSS

On Thu, Dec 25, 2008 at 10:33 AM, Tony Varriale <tvarriale at comcast.net>
wrote:
> Would you mind sharing which "features" you are bouncing off of?
>
> We have a couple of implementations and they are going well.
>
> No SXI yet w/ other blades....SXH with basic stuff appears to work ok
> especially for a rev 1 feature.

SXH2 has some critical NetFlow bugs. Cisco said disable "ip flow
ingress" on all interfaces as a work-around. Unfortunately we have
experienced other crashes too, without identifying root-cause.

At this point we have completed the migration to SXI, so I'm trying to
forget all about SXH.

(I should probably mention this is modular IOS.)

Tim:>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4327 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081229/5ce9230d/attachment.bin>

From Gregori.Parker at theplatform.com  Mon Dec 29 13:09:01 2008
From: Gregori.Parker at theplatform.com (Gregori Parker)
Date: Mon, 29 Dec 2008 10:09:01 -0800
Subject: [c-nsp] GLC vs SFP
Message-ID: <1A9866F953006D45AEE0166066114E0914FDD1B8@TPMAIL02.corp.theplatform.com>

Working with 7206VXR w/ NPE-G2 and I've been using GLC-SX-MM
transceivers for interconnects with no problems.  Had the need to
support LX handoffs arise and noticed that Cisco advises SFP-*
transceivers rather than GLC-* and I'm wondering why...only differences
between the transceivers appear to be price (x2) and DOM support (and
operational temperature range).  Considering that my GLC-SX-MM's work
just fine, I'm assuming that GLC-LH-SM's will as well (but cant test at
the moment)...nevertheless, I'm trying to sanity check here: Are there
any potential issues with ignoring Cisco and using GLC-* transceivers
rather than SFP-* in the 7200VXR?  Do I really need the SFP-GE-L?
Thanks in advance


From tdurack at gmail.com  Mon Dec 29 13:45:10 2008
From: tdurack at gmail.com (Tim Durack)
Date: Mon, 29 Dec 2008 13:45:10 -0500
Subject: [c-nsp] 6500 and VSS
In-Reply-To: <164030B85F3A8B40B960817918CB021001BC712A@UTHEVS4.mail.uthouston.edu>
References: <a2b352c40812240854n6e511914r35d33edf8df4d4d8@mail.gmail.com>
	<A859D1BA-7FE6-4168-9EF6-8A55A5C2236E@dupas.be>
	<20081225105617.GB8535@greenie.muc.de>
	<9e246b4d0812250507y18289219k3efdeffd572873cb@mail.gmail.com>
	<CE051917AA984344810F4D847868054A@flamdt1>
	<9e246b4d0812250857i54a4cfa1ya5fce4c00b090425@mail.gmail.com>
	<6E31172B4025564D861CD73627500BAC02E2FB38@pru-mail02.pe.net>
	<7C8AE13CAD9741738D4CDE444B92DFC5@flamdt1>
	<164030B85F3A8B40B960817918CB021001BC712A@UTHEVS4.mail.uthouston.edu>
Message-ID: <9e246b4d0812291045p28232493ndfe4ba00ad8d9d6e@mail.gmail.com>

On Mon, Dec 29, 2008 at 1:40 PM, Murphy, William
<William.Murphy at uth.tmc.edu> wrote:
> I was told by Cisco that SXI support both v6 and MPLS with VSS...  Can
> anyone else confirm this, and if so is anyone using VSS with these features
> in a production network?  Thanks...

SXI does not. SXI(n) might.

Tim:>

From vikassharmas at gmail.com  Tue Dec 30 03:12:30 2008
From: vikassharmas at gmail.com (Vikas Sharma)
Date: Tue, 30 Dec 2008 13:42:30 +0530
Subject: [c-nsp] FWSM - BGP STUB
Message-ID: <cca140000812300012y2bcd815ah157b328cf4fc5c7b@mail.gmail.com>

Hi,

I have FWSM contexts connected to vrf (part of MSFC) and then this vrf is
connected to FWSM ext context and then to msfc.

fwsm contest (1,2,3...n) ---> VRF --> Ext FWSM context ---> MSFC (Global
routing table)

>From fwsm cxt1,2,....n to vrf are point to point connection.

ctx1 --- vrf1 (vlan1)
ctx2 ---- vrf1( vlan2)

point to point interfaces from ctx to vrf.

I want to use BGP stub in this scenario. But limitation is BGP stub can only
be configured in admin context. It is possible to configure BGP stub in this
scenario?

Regards,
Vikas Sharma

From oiyankok at yahoo.ca  Tue Dec 30 07:23:21 2008
From: oiyankok at yahoo.ca (ann kok)
Date: Tue, 30 Dec 2008 04:23:21 -0800 (PST)
Subject: [c-nsp] packet filtered message
Message-ID: <322360.28920.qm@web111315.mail.gq1.yahoo.com>

Hi

I ping this catalyst 3500 switch 
the switch is not responsed but why it returns this message
I also can't telnet this swtich

Do you know why?

PING 192.186.186.118 (192.186.186.118) 56(84) bytes of data.
>From 192.186.186.118 icmp_seq=1 Packet filtered
>From 192.186.186.118 icmp_seq=2 Packet filtered
>From 192.186.186.118 icmp_seq=3 Packet filtered
>From 192.186.186.118 icmp_seq=4 Packet filtered
>From 192.186.186.118 icmp_seq=5 Packet filtered
>From 192.186.186.118 icmp_seq=6 Packet filtered
>From 192.186.186.118 icmp_seq=7 Packet filtered

--- 192.186.186.118 ping statistics ---
7 packets transmitted, 0 received, +7 errors, 100% packet loss, time 5999ms

Thank you


      __________________________________________________________________
Connect with friends from any web browser - no download required. Try the new Yahoo! Canada Messenger for the Web BETA at http://ca.messenger.yahoo.com/webmessengerpromo.php


From paul at paulstewart.org  Tue Dec 30 08:36:08 2008
From: paul at paulstewart.org (Paul Stewart)
Date: Tue, 30 Dec 2008 08:36:08 -0500
Subject: [c-nsp] packet filtered message
In-Reply-To: <322360.28920.qm@web111315.mail.gq1.yahoo.com>
References: <322360.28920.qm@web111315.mail.gq1.yahoo.com>
Message-ID: <010201c96a83$92ab7520$b8025f60$@org>

It's firewalled possibly?

Just looked up that IP in our routing tables and it doesn't exist ... is
this switch on the Internet itself?? 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of ann kok
Sent: December 30, 2008 7:23 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] packet filtered message

Hi

I ping this catalyst 3500 switch 
the switch is not responsed but why it returns this message
I also can't telnet this swtich

Do you know why?

PING 192.186.186.118 (192.186.186.118) 56(84) bytes of data.
>From 192.186.186.118 icmp_seq=1 Packet filtered
>From 192.186.186.118 icmp_seq=2 Packet filtered
>From 192.186.186.118 icmp_seq=3 Packet filtered
>From 192.186.186.118 icmp_seq=4 Packet filtered
>From 192.186.186.118 icmp_seq=5 Packet filtered
>From 192.186.186.118 icmp_seq=6 Packet filtered
>From 192.186.186.118 icmp_seq=7 Packet filtered

--- 192.186.186.118 ping statistics ---
7 packets transmitted, 0 received, +7 errors, 100% packet loss, time 5999ms

Thank you


      __________________________________________________________________
Connect with friends from any web browser - no download required. Try the
new Yahoo! Canada Messenger for the Web BETA at
http://ca.messenger.yahoo.com/webmessengerpromo.php

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



From MatlockK at exempla.org  Tue Dec 30 10:30:21 2008
From: MatlockK at exempla.org (Matlock, Kenneth L)
Date: Tue, 30 Dec 2008 08:30:21 -0700
Subject: [c-nsp] packet filtered message
In-Reply-To: <010201c96a83$92ab7520$b8025f60$@org>
References: <322360.28920.qm@web111315.mail.gq1.yahoo.com>
	<010201c96a83$92ab7520$b8025f60$@org>
Message-ID: <4288131ED5E3024C9CD4782CECCAD2C7065D3015@LMC-MAIL2.exempla.org>

Have you also checked to make sure you (or someone else) didn't
fat-finger the address?

You sure you didn't mean 192.168.x.x instead of 192.186.x.x?

Ken Matlock
Network Analyst
Exempla Healthcare
(303) 467-4671
matlockk at exempla.org
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
Sent: Tuesday, December 30, 2008 6:36 AM
To: oiyankok at yahoo.ca; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] packet filtered message

It's firewalled possibly?

Just looked up that IP in our routing tables and it doesn't exist ... is
this switch on the Internet itself?? 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of ann kok
Sent: December 30, 2008 7:23 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] packet filtered message

Hi

I ping this catalyst 3500 switch 
the switch is not responsed but why it returns this message
I also can't telnet this swtich

Do you know why?

PING 192.186.186.118 (192.186.186.118) 56(84) bytes of data.
>From 192.186.186.118 icmp_seq=1 Packet filtered
>From 192.186.186.118 icmp_seq=2 Packet filtered
>From 192.186.186.118 icmp_seq=3 Packet filtered
>From 192.186.186.118 icmp_seq=4 Packet filtered
>From 192.186.186.118 icmp_seq=5 Packet filtered
>From 192.186.186.118 icmp_seq=6 Packet filtered
>From 192.186.186.118 icmp_seq=7 Packet filtered

--- 192.186.186.118 ping statistics ---
7 packets transmitted, 0 received, +7 errors, 100% packet loss, time
5999ms

Thank you


      __________________________________________________________________
Connect with friends from any web browser - no download required. Try
the
new Yahoo! Canada Messenger for the Web BETA at
http://ca.messenger.yahoo.com/webmessengerpromo.php

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From markom at markom.info  Tue Dec 30 10:36:06 2008
From: markom at markom.info (Marko Milivojevic)
Date: Tue, 30 Dec 2008 15:36:06 +0000
Subject: [c-nsp] 3550 routing performance
In-Reply-To: <179880.89758.qm@web110114.mail.gq1.yahoo.com>
References: <6E31172B4025564D861CD73627500BAC02E2FB18@pru-mail02.pe.net>
	<179880.89758.qm@web110114.mail.gq1.yahoo.com>
Message-ID: <d163b99c0812300736x5b9dbd97l41ac8c961550c594@mail.gmail.com>

On Fri, Dec 19, 2008 at 08:01, Tony <td_miles at yahoo.com> wrote:
>
> I should have included that in my original post, I had already set SDM to routing extended-match. If you don't you get a warning when you add a VRF to prompt you to do it.
>
> Unfortunately not something that obvious.

I'm a bit slow in reading the mailing lists :-).

Did you reload the switch after you applied new SDM template? Also,
are you sure that you are not experiencing "duplex mismatch" or some
similar issue? Do interface counters show anything unusual?

From paul at paulstewart.org  Tue Dec 30 10:45:27 2008
From: paul at paulstewart.org (Paul Stewart)
Date: Tue, 30 Dec 2008 10:45:27 -0500
Subject: [c-nsp] packet filtered message
In-Reply-To: <464560.89018.qm@web111313.mail.gq1.yahoo.com>
References: <4288131ED5E3024C9CD4782CECCAD2C7065D3015@LMC-MAIL2.exempla.org>
	<464560.89018.qm@web111313.mail.gq1.yahoo.com>
Message-ID: <010601c96a95$a35c3410$ea149c30$@org>

Why not use 192.168.x.x for your IP addresses then to ensure that when
trying to reach the switch you're not going to the Internet to try and reach
it?

Is there a valid reason you're using this IP space for testing purposes?

-----Original Message-----
From: ann kok [mailto:oiyankok at yahoo.ca] 
Sent: December 30, 2008 10:38 AM
To: Paul Stewart; cisco-nsp at puck.nether.net; Matlock, Kenneth L
Subject: RE: [c-nsp] packet filtered message

Hi all

Thank you for your help

This address is fake address

I am sure the address I ping is switch address.
But I don't know why it returns packet filtered 
and no firewall before this switch

Thank you 



--- On Tue, 12/30/08, Matlock, Kenneth L <MatlockK at exempla.org> wrote:

> From: Matlock, Kenneth L <MatlockK at exempla.org>
> Subject: RE: [c-nsp] packet filtered message
> To: "Paul Stewart" <paul at paulstewart.org>, oiyankok at yahoo.ca,
cisco-nsp at puck.nether.net
> Received: Tuesday, December 30, 2008, 10:30 AM
> Have you also checked to make sure you (or someone else)
> didn't
> fat-finger the address?
> 
> You sure you didn't mean 192.168.x.x instead of
> 192.186.x.x?
> 
> Ken Matlock
> Network Analyst
> Exempla Healthcare
> (303) 467-4671
> matlockk at exempla.org
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> Paul Stewart
> Sent: Tuesday, December 30, 2008 6:36 AM
> To: oiyankok at yahoo.ca; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] packet filtered message
> 
> It's firewalled possibly?
> 
> Just looked up that IP in our routing tables and it
> doesn't exist ... is
> this switch on the Internet itself?? 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of ann
> kok
> Sent: December 30, 2008 7:23 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] packet filtered message
> 
> Hi
> 
> I ping this catalyst 3500 switch 
> the switch is not responsed but why it returns this message
> I also can't telnet this swtich
> 
> Do you know why?
> 
> PING 192.186.186.118 (192.186.186.118) 56(84) bytes of
> data.
> >From 192.186.186.118 icmp_seq=1 Packet filtered
> >From 192.186.186.118 icmp_seq=2 Packet filtered
> >From 192.186.186.118 icmp_seq=3 Packet filtered
> >From 192.186.186.118 icmp_seq=4 Packet filtered
> >From 192.186.186.118 icmp_seq=5 Packet filtered
> >From 192.186.186.118 icmp_seq=6 Packet filtered
> >From 192.186.186.118 icmp_seq=7 Packet filtered
> 
> --- 192.186.186.118 ping statistics ---
> 7 packets transmitted, 0 received, +7 errors, 100% packet
> loss, time
> 5999ms
> 
> Thank you
> 
> 
>      
> __________________________________________________________________
> Connect with friends from any web browser - no download
> required. Try
> the
> new Yahoo! Canada Messenger for the Web BETA at
> http://ca.messenger.yahoo.com/webmessengerpromo.php
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


      __________________________________________________________________
Instant Messaging, free SMS, sharing photos and more... Try the new Yahoo!
Canada Messenger at http://ca.beta.messenger.yahoo.com/




From lists at memetic.org  Tue Dec 30 10:59:10 2008
From: lists at memetic.org (Adam Armstrong)
Date: Tue, 30 Dec 2008 15:59:10 +0000
Subject: [c-nsp] GLC vs SFP
In-Reply-To: <1A9866F953006D45AEE0166066114E0914FDD1B8@TPMAIL02.corp.theplatform.com>
References: <1A9866F953006D45AEE0166066114E0914FDD1B8@TPMAIL02.corp.theplatform.com>
Message-ID: <495A454E.7060606@memetic.org>

Gregori Parker wrote:
> Working with 7206VXR w/ NPE-G2 and I've been using GLC-SX-MM
> transceivers for interconnects with no problems.  Had the need to
> support LX handoffs arise and noticed that Cisco advises SFP-*
> transceivers rather than GLC-* and I'm wondering why...only differences
> between the transceivers appear to be price (x2) and DOM support (and
> operational temperature range).  Considering that my GLC-SX-MM's work
> just fine, I'm assuming that GLC-LH-SM's will as well (but cant test at
> the moment)...nevertheless, I'm trying to sanity check here: Are there
> any potential issues with ignoring Cisco and using GLC-* transceivers
> rather than SFP-* in the 7200VXR?  Do I really need the SFP-GE-L?
> Thanks in advance
>   
you run the serious risk of not giving cisco 5x more than you'd pay for 
transcievers elsewhere!

adam.

From networking.stuff at googlemail.com  Tue Dec 30 11:10:18 2008
From: networking.stuff at googlemail.com (Chintan Shah)
Date: Tue, 30 Dec 2008 21:40:18 +0530
Subject: [c-nsp] IGP advertisment
Message-ID: <1e7e04890812300810m7d70a00dq1974dc58af722778@mail.gmail.com>

Hi ,

As of now we have all /30 and /32 network being advertised in our IP/MPLS
network running IS-IS in L1 and L2. so all PE have total number of IGP
routes in network in their routing table.
We plan to implement to advertise only loopback of P and PE in IGP to reduce
memory and also for better convergance.

I think i can do that without any issue but i worry that our operation team
may not be agree since they may loose troubleshooting flexibity like
traceroute , telnet to interface etc ...

Can some on share some light on this with some advantage /disadvantage in
real enviroment?

Thanks,
Chintan

From oiyankok at yahoo.ca  Tue Dec 30 10:37:55 2008
From: oiyankok at yahoo.ca (ann kok)
Date: Tue, 30 Dec 2008 07:37:55 -0800 (PST)
Subject: [c-nsp] packet filtered message
In-Reply-To: <4288131ED5E3024C9CD4782CECCAD2C7065D3015@LMC-MAIL2.exempla.org>
Message-ID: <464560.89018.qm@web111313.mail.gq1.yahoo.com>

Hi all

Thank you for your help

This address is fake address

I am sure the address I ping is switch address.
But I don't know why it returns packet filtered 
and no firewall before this switch

Thank you 



--- On Tue, 12/30/08, Matlock, Kenneth L <MatlockK at exempla.org> wrote:

> From: Matlock, Kenneth L <MatlockK at exempla.org>
> Subject: RE: [c-nsp] packet filtered message
> To: "Paul Stewart" <paul at paulstewart.org>, oiyankok at yahoo.ca, cisco-nsp at puck.nether.net
> Received: Tuesday, December 30, 2008, 10:30 AM
> Have you also checked to make sure you (or someone else)
> didn't
> fat-finger the address?
> 
> You sure you didn't mean 192.168.x.x instead of
> 192.186.x.x?
> 
> Ken Matlock
> Network Analyst
> Exempla Healthcare
> (303) 467-4671
> matlockk at exempla.org
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> Paul Stewart
> Sent: Tuesday, December 30, 2008 6:36 AM
> To: oiyankok at yahoo.ca; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] packet filtered message
> 
> It's firewalled possibly?
> 
> Just looked up that IP in our routing tables and it
> doesn't exist ... is
> this switch on the Internet itself?? 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of ann
> kok
> Sent: December 30, 2008 7:23 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] packet filtered message
> 
> Hi
> 
> I ping this catalyst 3500 switch 
> the switch is not responsed but why it returns this message
> I also can't telnet this swtich
> 
> Do you know why?
> 
> PING 192.186.186.118 (192.186.186.118) 56(84) bytes of
> data.
> >From 192.186.186.118 icmp_seq=1 Packet filtered
> >From 192.186.186.118 icmp_seq=2 Packet filtered
> >From 192.186.186.118 icmp_seq=3 Packet filtered
> >From 192.186.186.118 icmp_seq=4 Packet filtered
> >From 192.186.186.118 icmp_seq=5 Packet filtered
> >From 192.186.186.118 icmp_seq=6 Packet filtered
> >From 192.186.186.118 icmp_seq=7 Packet filtered
> 
> --- 192.186.186.118 ping statistics ---
> 7 packets transmitted, 0 received, +7 errors, 100% packet
> loss, time
> 5999ms
> 
> Thank you
> 
> 
>      
> __________________________________________________________________
> Connect with friends from any web browser - no download
> required. Try
> the
> new Yahoo! Canada Messenger for the Web BETA at
> http://ca.messenger.yahoo.com/webmessengerpromo.php
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


      __________________________________________________________________
Instant Messaging, free SMS, sharing photos and more... Try the new Yahoo! Canada Messenger at http://ca.beta.messenger.yahoo.com/


From Reinhold.Fischer at gmx.net  Tue Dec 30 11:39:29 2008
From: Reinhold.Fischer at gmx.net (Reinhold Fischer)
Date: Tue, 30 Dec 2008 17:39:29 +0100
Subject: [c-nsp] IGP advertisment
In-Reply-To: <1e7e04890812300810m7d70a00dq1974dc58af722778@mail.gmail.com>
References: <1e7e04890812300810m7d70a00dq1974dc58af722778@mail.gmail.com>
Message-ID: <20081230163929.GA17085@susi>

On Tue, Dec 30, 2008 at 09:40:18PM +0530, Chintan Shah wrote:
... 
> I think i can do that without any issue but i worry that our operation team
> may not be agree since they may loose troubleshooting flexibity like
> traceroute , telnet to interface etc ...
...

Why not put the /30 transfer networks into (i)BGP? These prefixes will 
converge a bit slower but you still have the troubleshooting possibilities.

hth
Reinhold

From avayner at cisco.com  Tue Dec 30 12:34:31 2008
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Tue, 30 Dec 2008 18:34:31 +0100
Subject: [c-nsp] IGP advertisment
In-Reply-To: <1e7e04890812300810m7d70a00dq1974dc58af722778@mail.gmail.com>
References: <1e7e04890812300810m7d70a00dq1974dc58af722778@mail.gmail.com>
Message-ID: <67F7C1FAF83A074AA3520D8F155782A502617A7C@xmb-ams-331.emea.cisco.com>

Chintan,

Traceroute will keep working (as long as the destination is a loopback).
You can still telnet/ping physical interfaces from directly attached
routers, so if you troubleshoot a L2 issue - you do not lose much
capabilities.

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chintan Shah
Sent: Tuesday, December 30, 2008 18:10
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] IGP advertisment

Hi ,

As of now we have all /30 and /32 network being advertised in our
IP/MPLS
network running IS-IS in L1 and L2. so all PE have total number of IGP
routes in network in their routing table.
We plan to implement to advertise only loopback of P and PE in IGP to
reduce
memory and also for better convergance.

I think i can do that without any issue but i worry that our operation
team
may not be agree since they may loose troubleshooting flexibity like
traceroute , telnet to interface etc ...

Can some on share some light on this with some advantage /disadvantage
in
real enviroment?

Thanks,
Chintan
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From maillist at webjogger.net  Tue Dec 30 14:14:30 2008
From: maillist at webjogger.net (Adam Greene)
Date: Tue, 30 Dec 2008 14:14:30 -0500
Subject: [c-nsp] ip cef / ospf redundancy testing
Message-ID: <20E59E7E6D9B4A4BA8F614D5749BDFA8@GINKGO>

Maybe someone could point me in the right direction ...

I'm doing some redundancy testing in the lab ...

I basically have two 3750's linked together redundantly via OSPF. IP CEF is enabled. Both switches are running 12.2(25)SEE2. Switch B is receiving redundant default routes from switch A.  

According to "sh ip cef exact-route" issued on switch B, traffic from <src1B> to <dest1A> and from <src2B> to <dest2A> should be all be travelling over a single link, leaving the other one empty of traffic. However, what I am actually seeing is that traffic from <src1B> to <dest1A>  is flowing over one link, and from <src2B> to <dest2A> is travelling over the other.

"sh ip cef detail" confirms that per-destination load balancing should be occurring, and when I run a single stream of traffic, indeed round-robin per-packet load-sharing is not occurring.

Why would the traffic be following a different path than what the "sh ip cef exact-route" command suggests it should?

Maybe I need to provide more detail for anyone to be able to opine ...

Thanks,
adam

From maillist at webjogger.net  Tue Dec 30 16:23:36 2008
From: maillist at webjogger.net (Adam Greene)
Date: Tue, 30 Dec 2008 16:23:36 -0500
Subject: [c-nsp] ip cef / ospf redundancy testing
References: <20E59E7E6D9B4A4BA8F614D5749BDFA8@GINKGO>
Message-ID: <2B4FF78B811C4D96BC3455C4D832C88F@GINKGO>

Maybe simplifying the question will help.

When I do a "sh ip cef exact-route <src1> <dest1>" on the 3750, it shows me 
that traffic should flow over link A. However, in actuality, it flows over 
link B. When I do a "sh ip cef exact-route <src1> <dest2>" it shows me that 
traffic should flow over link B. However, it actually flows over link A.

When I use a different <src> address but the same <dest> addresses, the "sh 
ip cef exact-route" command gives me accurate results.

I don't have any policy routing enabled. I'm trying to figure out why 
sometimes the "sh ip cef exact-route" command would produce accurate output 
and why sometimes it wouldn't.

Stumped.

(p.s. thanks for the off-list reply I received)

----- Original Message ----- 
From: "Adam Greene" <maillist at webjogger.net>
To: <cisco-nsp at puck.nether.net>
Sent: Tuesday, December 30, 2008 2:14 PM
Subject: [c-nsp] ip cef / ospf redundancy testing


> Maybe someone could point me in the right direction ...
>
> I'm doing some redundancy testing in the lab ...
>
> I basically have two 3750's linked together redundantly via OSPF. IP CEF 
> is enabled. Both switches are running 12.2(25)SEE2. Switch B is receiving 
> redundant default routes from switch A.
>
> According to "sh ip cef exact-route" issued on switch B, traffic from 
> <src1B> to <dest1A> and from <src2B> to <dest2A> should be all be 
> travelling over a single link, leaving the other one empty of traffic. 
> However, what I am actually seeing is that traffic from <src1B> to 
> <dest1A>  is flowing over one link, and from <src2B> to <dest2A> is 
> travelling over the other.
>
> "sh ip cef detail" confirms that per-destination load balancing should be 
> occurring, and when I run a single stream of traffic, indeed round-robin 
> per-packet load-sharing is not occurring.
>
> Why would the traffic be following a different path than what the "sh ip 
> cef exact-route" command suggests it should?
>
> Maybe I need to provide more detail for anyone to be able to opine ...
>
> Thanks,
> adam
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> 



From td_miles at yahoo.com  Tue Dec 30 17:26:34 2008
From: td_miles at yahoo.com (Tony)
Date: Tue, 30 Dec 2008 14:26:34 -0800 (PST)
Subject: [c-nsp] 3550 routing performance
In-Reply-To: <d163b99c0812300736x5b9dbd97l41ac8c961550c594@mail.gmail.com>
Message-ID: <548821.48332.qm@web110113.mail.gq1.yahoo.com>


Thanks for those who helped with this. I am ashamed to admit that despite my best intent at testing this thoroughly it was indeed a duplex mismatch (Doh!). That fixed the problem in my test environment, now I need to find out where it is in the prodcution setup and correct it.

Thanks again,
Tony.



--- On Wed, 31/12/08, Marko Milivojevic <markom at markom.info> wrote:

> From: Marko Milivojevic <markom at markom.info>
> Subject: Re: [c-nsp] 3550 routing performance
> To: cisco-nsp at puck.nether.net
> Date: Wednesday, 31 December, 2008, 2:36 AM
> On Fri, Dec 19, 2008 at 08:01, Tony
> <td_miles at yahoo.com> wrote:
> >
> > I should have included that in my original post, I had
> already set SDM to routing extended-match. If you don't
> you get a warning when you add a VRF to prompt you to do it.
> >
> > Unfortunately not something that obvious.
> 
> I'm a bit slow in reading the mailing lists :-).
> 
> Did you reload the switch after you applied new SDM
> template? Also,
> are you sure that you are not experiencing "duplex
> mismatch" or some
> similar issue? Do interface counters show anything unusual?
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


      


From vegasnetman at gmail.com  Tue Dec 30 19:58:26 2008
From: vegasnetman at gmail.com (Ozar)
Date: Tue, 30 Dec 2008 16:58:26 -0800
Subject: [c-nsp] ONS 15454 Backups
Message-ID: <8cd002180812301658i545e922exf8729cc9fcc2741c@mail.gmail.com>

Does anyone know if there is another way to backup the database on a Cisco
ONS 15454 other than the using the CTC to manually back it up?


-brian

From jackson.tim at gmail.com  Tue Dec 30 20:20:13 2008
From: jackson.tim at gmail.com (Tim Jackson)
Date: Tue, 30 Dec 2008 19:20:13 -0600
Subject: [c-nsp] ONS 15454 Backups
In-Reply-To: <8cd002180812301658i545e922exf8729cc9fcc2741c@mail.gmail.com>
References: <8cd002180812301658i545e922exf8729cc9fcc2741c@mail.gmail.com>
Message-ID: <4407932e0812301720g15b495dlc488d6bbfdd9155b@mail.gmail.com>

Via TL1:

COPY-RFILE:TID:RFILE-PKG:703::TYPE=SWDL,SRC="FTP://USERID:
PASSWORD at HOSTIP:21/DIR1/DIR2/DIR3/PACKAGE.PKG";

See the TL1 manual...

http://www.ciscosystems.com/en/US/docs/optical/15000r7_0_1/tl1/454sdh/command/guide/e701copy.pdf

I've used Net::Telnet to automate this, works well, much better than
manually backing up 200 454s... There may be a way to do this via
SNMP, but I'm not sure...

--
Tim

On 12/30/08, Ozar <vegasnetman at gmail.com> wrote:
> Does anyone know if there is another way to backup the database on a Cisco
> ONS 15454 other than the using the CTC to manually back it up?
>
>
> -brian
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

-- 
Sent from my mobile device

From kgasso-lists at visp.net  Tue Dec 30 20:27:03 2008
From: kgasso-lists at visp.net (Kameron Gasso)
Date: Tue, 30 Dec 2008 17:27:03 -0800
Subject: [c-nsp] packet filtered message
In-Reply-To: <464560.89018.qm@web111313.mail.gq1.yahoo.com>
References: <464560.89018.qm@web111313.mail.gq1.yahoo.com>
Message-ID: <495ACA67.5010209@visp.net>

ann kok wrote:
> I am sure the address I ping is switch address.
> But I don't know why it returns packet filtered 
> and no firewall before this switch

Hi,

Sounds like there's an access-list configured on the switch itself which
is filtering you, being the ICMP unreachable came directly from the switch.

You're likely either going to need physical access to the console port
to get in or you'll need to connect from a host not filtered by the
access-list.  Of course, if you don't know how the access-list reads
(and can't get in to find out), you're going to need physical access anyway.

Regards,
-- 
Kameron Gasso | Senior Systems Administrator | visp.net
Direct: 541-955-6903 | Fax: 541-471-0821

From vikassharmas at gmail.com  Tue Dec 30 22:45:04 2008
From: vikassharmas at gmail.com (Vikas Sharma)
Date: Wed, 31 Dec 2008 09:15:04 +0530
Subject: [c-nsp] FWSM - BGP stub vs RHI
Message-ID: <cca140000812301945t4885056ei13aeb0e102aad20@mail.gmail.com>

Hi,

In FWSM inplementation, which one is preffered BGP stub or RHI. My low
confidecnce in RHI bcos it is the new feature and not deployed extensively.

Regards,
Vikas Sharma

From vikassharmas at gmail.com  Wed Dec 31 01:42:28 2008
From: vikassharmas at gmail.com (Vikas Sharma)
Date: Wed, 31 Dec 2008 12:12:28 +0530
Subject: [c-nsp] ip cef linecard ipc service-timer on XR
Message-ID: <cca140000812302242w3ccde118r2c7be27bcf20d166@mail.gmail.com>

Hi,

Coammnd "ip cef linecard ipc service-timer" works fine on 12k (with srvice
Internal). I tried this command over XR and found there is no service
internal. Can I use this command on XR to optimize the traffic?

Regards,
Vikas Sharma

From abidin.kahraman at gmail.com  Wed Dec 31 07:01:24 2008
From: abidin.kahraman at gmail.com (Abidin Kahraman)
Date: Wed, 31 Dec 2008 12:01:24 +0000
Subject: [c-nsp] ip cef linecard ipc service-timer on XR
In-Reply-To: <cca140000812302242w3ccde118r2c7be27bcf20d166@mail.gmail.com>
References: <cca140000812302242w3ccde118r2c7be27bcf20d166@mail.gmail.com>
Message-ID: <514b64d70812310401l125e110dmd66509370499911d@mail.gmail.com>

Hi Vikas,

FIB distribution to LC is optimized by default therefore there is no
need to tune IPC timers in XR.

This command is not applicable to XR.

Regards,
Abidin



On Wed, Dec 31, 2008 at 6:42 AM, Vikas Sharma <vikassharmas at gmail.com> wrote:
> Hi,
>
> Coammnd "ip cef linecard ipc service-timer" works fine on 12k (with srvice
> Internal). I tried this command over XR and found there is no service
> internal. Can I use this command on XR to optimize the traffic?
>
> Regards,
> Vikas Sharma
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From dwinkworth at att.net  Wed Dec 31 12:40:02 2008
From: dwinkworth at att.net (Derick Winkworth)
Date: Wed, 31 Dec 2008 11:40:02 -0600
Subject: [c-nsp] FWSM - BGP stub vs RHI
In-Reply-To: <cca140000812301945t4885056ei13aeb0e102aad20@mail.gmail.com>
References: <cca140000812301945t4885056ei13aeb0e102aad20@mail.gmail.com>
Message-ID: <495BAE72.6010607@att.net>

RHI is multi-context, BGP stub is not... last I recall.  Also I don't
think RHI is a licensed feature, its just available with the IOS... BGP
stub is licensed for some reason.

Vikas Sharma wrote:
> Hi,
>
> In FWSM inplementation, which one is preffered BGP stub or RHI. My low
> confidecnce in RHI bcos it is the new feature and not deployed extensively.
>
> Regards,
> Vikas Sharma
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com 
> Version: 8.0.176 / Virus Database: 270.10.1/1869 - Release Date: 12/30/2008 12:06 PM
>
>   

From avayner at cisco.com  Wed Dec 31 15:39:46 2008
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Wed, 31 Dec 2008 21:39:46 +0100
Subject: [c-nsp] FWSM - BGP stub vs RHI
In-Reply-To: <cca140000812301945t4885056ei13aeb0e102aad20@mail.gmail.com>
References: <cca140000812301945t4885056ei13aeb0e102aad20@mail.gmail.com>
Message-ID: <67F7C1FAF83A074AA3520D8F155782A502617AF9@xmb-ams-331.emea.cisco.com>

Vikas,

RHI is not a new feature in general. It exists on many other service
blades for 6500 including CSM (since 4-5 years ago), ACE and DDoS Guard
(both at least for 2-3 years).

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Vikas Sharma
Sent: Wednesday, December 31, 2008 05:45
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] FWSM - BGP stub vs RHI

Hi,

In FWSM inplementation, which one is preffered BGP stub or RHI. My low
confidecnce in RHI bcos it is the new feature and not deployed
extensively.

Regards,
Vikas Sharma
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From andree at toonk.nl  Wed Dec 31 15:56:20 2008
From: andree at toonk.nl (Andree Toonk)
Date: Wed, 31 Dec 2008 12:56:20 -0800
Subject: [c-nsp] ONS 15454 Backups
In-Reply-To: <4407932e0812301720g15b495dlc488d6bbfdd9155b@mail.gmail.com>
References: <8cd002180812301658i545e922exf8729cc9fcc2741c@mail.gmail.com>
	<4407932e0812301720g15b495dlc488d6bbfdd9155b@mail.gmail.com>
Message-ID: <495BDC74.3060209@toonk.nl>

Hi,

.-- My secret spy satellite informs me that at 12/30/08 5:20 PM  Tim 
Jackson wrote:
> Via TL1:
> 
> I've used Net::Telnet to automate this, works well, much better than
> manually backing up 200 454s... There may be a way to do this via
> SNMP, but I'm not sure...

You might want to take a look at the Perl TL1 Toolkit:
https://noc.sara.nl/nrg/TL1-Toolkit/index.html

It's a Perl Library designed to communicate with TL1 devices.
It has some specific functions for several Nortel and Cisco devices, but 
should work with any TL1 device.

The package comes with some example scripts as well. We use it 
extensively to and monitor (and report about) our SONET/SDH and DWDM 
network.

Cheers,
  Andree